Ώμ²₯³ΙΘΛ

Information security at Ώμ²₯³ΙΘΛ

β€”

Last revised: July 2, 2024

1. Service Overview

As a provider of technology solutions to schools, Ώμ²₯³ΙΘΛ’s commitment to data privacy and security is essential to our organization. This overview of Ώμ²₯³ΙΘΛ’s Information Security Program describes physical, technical and administrative safeguards Ώμ²₯³ΙΘΛ implements to protect student data in our care.

Company profile

Ώμ²₯³ΙΘΛ Education, Inc. (Ώμ²₯³ΙΘΛ) is a privately held company founded in 2000 as Wireless Generation. Ώμ²₯³ΙΘΛ’s products include curriculum and instruction, assessment and intervention, professional development services and consulting services for K-12 education.

Service hosting

Ώμ²₯³ΙΘΛ leverages Amazon Web Services (AWS) as its cloud hosting provider. Within AWS, Ώμ²₯³ΙΘΛ utilizes Virtual Private Clouds (VPCs), which provide an isolated cloud environment within the AWS infrastructure. External network traffic to a VPC is managed via gateway and firewall rules, which are maintained in source code control to ensure that the configuration remains in compliance with Ώμ²₯³ΙΘΛ security policy. In addition, the production VPCs and the development VPCs are isolated Ώμ²₯³ΙΘΛ each other and maintained in separate AWS accounts.

2. Policies & standards

Information security program

Ώμ²₯³ΙΘΛ maintains a comprehensive information security program based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the NIST SP 800-53 Rev. 5 family of information security controls. These provide a robust framework of best practices Ώμ²₯³ΙΘΛ which an organization can build its security policies and protocols based on identified risks, compliance requirements, and business needs. They cover critical practice areas, including access control, configuration management, incident response, security training, and other information security domains.

Governance

Ώμ²₯³ΙΘΛ’s Information Security Committee has primary responsibility for the development, maintenance, and implementation of the Ώμ²₯³ΙΘΛ information security program. The Information Security Committee is responsible for all information risk management activities within the company and is composed of technology, business and legal leaders Ώμ²₯³ΙΘΛ the organization. The Committee meets weekly and includes a dedicated VP of Information Security and a program manager to oversee, direct and coordinate its activities.

Policy execution

Adherence to the internal Ώμ²₯³ΙΘΛ information security policy is an obligation of every Ώμ²₯³ΙΘΛ employee. Ώμ²₯³ΙΘΛ conducts a series of internal monitoring procedures to verify compliance with internal information security policies, and all Ώμ²₯³ΙΘΛ employees undergo annual criminal background checks. In addition, any third-party contractors who come into contact with systems that may contain student data are contractually bound to maintain security and privacy of the data.

3. Data access controls

Access control

Ώμ²₯³ΙΘΛ’s access control principles dictate that all student data we store on behalf of customers is only accessible to district-authorized users and to a limited set of internal Ώμ²₯³ΙΘΛ users who may only access the data for purposes authorized by the district. Districts maintain control over their internal users and may grant or revoke access.

In limited circumstances and strictly for the purposes of supporting school districts and maintaining the functionality of systems, certain Ώμ²₯³ΙΘΛ users may access Ώμ²₯³ΙΘΛ systems with student data. All such access to student data by Ώμ²₯³ΙΘΛ technicians or customer support requires both authentication and authorization to view the information.

Encryption

Data encryption is an important element of our protection of sensitive data at rest and in transit, and is reviewed and updated as appropriate annually, based on the latest standards and guidelines published by OWASP and NIST.

  • In transit: Ώμ²₯³ΙΘΛ encrypts all student data in transit over public connections, using Transport Layer Security (TLS), commonly known as SSL, using industry-standard protocols, ciphers, algorithms, and key sizes.
  • At rest: Ώμ²₯³ΙΘΛ encrypts student data at rest using the industry-standard AES-256 encryption algorithm.

4. Application security by design

Building the right roles into applications

Permissions within Ώμ²₯³ΙΘΛ applications are designed on the principle that school districts control access to all student data. To facilitate this, Ώμ²₯³ΙΘΛ applications are designed so that roles and permissions flow Ώμ²₯³ΙΘΛ the district to the individual user. For example, applications that offer schools a way to collect and report on assessment results have a web interface that requires district administrators to authorize individuals to view student data.

Security controls within applications are used to ensure that the desired privacy protections are technically enforced within the system. For example, if a principal is supposed to see only the data related to his or her school, Ώμ²₯³ΙΘΛ ensures that, throughout the design and development process, our products restrict principals Ώμ²₯³ΙΘΛ seeing records for any students outside his or her school.

To make sure Ώμ²₯³ΙΘΛ applications properly enforce permissions and roles, our development teams conduct reviews early in the design process to ensure roles and permissions are an essential component of the design of new applications.

Building security controls into applications

Ώμ²₯³ΙΘΛ applications are also developed to minimize security vulnerabilities and ensure industry-standard application security controls are in place.

As part of the development process, Ώμ²₯³ΙΘΛ has a set of application security standards that all applications handling student data are required to follow, including:

  • Student data is secured using industry standard encryption when in transit between end-users and Ώμ²₯³ΙΘΛ systems.
  • Applications are built with password brute-force attack prevention.
  • User sessions expire after a fixed period of time.

We also conduct manual and automated static code analysis as well as dynamic application security testing to preemptively identify vulnerabilities published by industry leaders such as OWASP (Open Web Application Security Project)

5. Proactive security

Risk assessments

Ώμ²₯³ΙΘΛ periodically engages a security consulting firm to conduct risk assessments, aimed at identifying and prioritizing security vulnerabilities. The Information Security Committee coordinates remediation of the vulnerabilities. The security consulting firm also provides ongoing advice on current risks and advises on remediation of vulnerabilities and incident response.

Penetration testing

Ώμ²₯³ΙΘΛ engages third-party firms to continually conduct application penetration testing.Β  The purpose of this testing is to test for application security vulnerabilities in the production environment.Β  We work with third party penetration testing program partners. Third-party testing involves a combination of automated and manual testing.

Vulnerability management

Ώμ²₯³ΙΘΛ ensures that its systems are free of known vulnerabilities in several ways. Every production server runs vulnerability detection software that compares the installed software against a global database of known vulnerabilities. Secondly, we employ real time network monitoring that reports on any potentially malicious traffic. In addition, a third-party security firm continually reviews all of our system logs for potential security breaches. Lastly we continually test our applications against common malicious internet traffic. Violations in any of these areas will alert one of our operations teams, who are available around the clock.

In addition, Ώμ²₯³ΙΘΛ participates in a private bug bounty program through HackerOne, working with the security community to find security vulnerabilities and support our efforts to keep our data and systems safe and secure.

Endpoint security

Access to production systems at Ώμ²₯³ΙΘΛ is restricted to a limited set of internal Ώμ²₯³ΙΘΛ users to support technical infrastructure, troubleshoot customer issues, or other purposes authorized by the district. In addition, Ώμ²₯³ΙΘΛ requires multi-factor (MFA) authentication methods for access to all production systems. MFA involves a combination of something only the user knows and something only the user can access. For example, MFA for administrative access could involve entering a password as well as entering a one-time passcode sent via text message to the administrator’s mobile phone. The use of MFA reduces the possibility that an unauthorized individual could use a compromised password to access a system.

Infrastructure security

Network filtering technologies are used to ensure that production environments with student data are properly segmented Ώμ²₯³ΙΘΛ the rest of the network. Production environments only have limited external access to enable customers to use our web interfaces and other services. In addition, Ώμ²₯³ΙΘΛ uses firewalls to ensure that development servers have no access to production environments.

Other measures that Ώμ²₯³ΙΘΛ takes to secure its operational environment include system monitoring to detect anomalous activity that could indicate potential attacks and breaches.

Security training

At Ώμ²₯³ΙΘΛ, we believe that protecting student data is the responsibility of all employees. We implemented a comprehensive information security awareness training program that all employeesΒ  undergo upon initial hire, with an annual refresher training. We also provide information security training and annual social engineering tests for specific departments based on role.

6. Reactive security

Monitoring

Intrusion detection and prevention systems (IDS/IPS) are in place to analyze the network device logs, monitor the network and report anomalous activity for appropriate resolution.

Incident response

Ώμ²₯³ΙΘΛ maintains a comprehensive Security Incident Response Policy Plan, which sets out roles, responsibilities and procedures for reporting, investigation, containment, remediation and notification of security incidents. Ώμ²₯³ΙΘΛ works with reputable firms for incident response and digital forensics support, as well as annual table-top exercises in coordination with cybersecurity experts.

Business Continuity Planning and Disaster Recovery

Ώμ²₯³ΙΘΛ maintains a comprehensive Business Continuity Planning and Disaster Recovery Plan (BCP/DR), to guide personnel in procedures to protect against business disruptions caused by an unexpected event. The plans and related operations processes are tested on a semiannual basis, with ensuing operations improvement and remediation work.

7. Compliance

Audits

In addition to penetration testing and other proactive security testing and monitoring outlined above, Ώμ²₯³ΙΘΛ undergoes annual SOC 2 Type 2 examinations of controls relevant to security. The examination is formally known as a Type 2 Independent Service Auditor’s Report on Controls Relevant to Security. The most recent examinations were conducted by Schellman & Company, LLC and covers the period Ώμ²₯³ΙΘΛ April 1, 2023–March 31, 2024 for Ώμ²₯³ΙΘΛ, and October 1, 2023–March 31, 2024 for Desmos Platform. The report states that Ώμ²₯³ΙΘΛ’s systems meet the criteria for the security principle and opine on management’s description of the organization’s system and the suitability of the design of controls to protect against unauthorized access, use, or modification.

The Type 2 report also opines on the operating effectiveness of controls over the review period. This means that our auditors confirmed that we have continued to follow established security controls over the period of time of the review.

Certifications

SOC 2: Ώμ²₯³ΙΘΛ successfully completed the SOC 2 Type 2 examination of controls relevant to security (see above, under β€œAudits”).

Privacy

Ώμ²₯³ΙΘΛ’s products are built to facilitate district compliance with applicable data privacy laws, including FERPA and state laws related to the collection, access and review and disclosure of student data. Ώμ²₯³ΙΘΛ’s describes the types of information collected and maintained on behalf of our school district customers and limitations on use and sharing of that data. Ώμ²₯³ΙΘΛ is also an early adopter and proud signatory of the , an industry-wide pledge to safeguard privacy and security of student data.

8. Supporting documentation

In the course of customer security assessment, the following documentation can be provided by Ώμ²₯³ΙΘΛ upon customers’ request:

  • Penetration Testing Report
  • Risk Assessment Report
  • SOC 2 Type 2 Report

9. Report a vulnerability

To report a security vulnerability, click here.

Β© 2025 Ώμ²₯³ΙΘΛ Education, Inc.

Ώμ²₯³ΙΘΛ Education, Inc. 55 Washington St #800, Brooklyn, NY 11201. Core Knowledge® and related trademarks are the property of the Core Knowledge Foundation. Desmos®Β is a registered trademark of Desmos Studio PBC.Β DIBELS®Β is a registered trademark of the University of Oregon. The Lawrence Hall of Science is a trademark of the Regents of the University of California. IM K–12 Math and Illustrative Mathematics® are trademarks of Illustrative Mathematics, which is not affiliated with Ώμ²₯³ΙΘΛ. Ώμ²₯³ΙΘΛ is not an IM Certified Partner.