1.0          1. Introduction

This policy outlines the security measures and responsibilities for protecting sensitive information managed by School Safety Assurance International (SSAI), a SaaS and cloud-based platform. It applies to all employees, contractors, and third parties who interact with SSAI systems, data, and resources.

The policy ensures the confidentiality, integrity, and availability of data processed, stored, and transmitted through SSAI’s cloud-based platform. All employees must read, understand, and acknowledge this policy. The policy will be reviewed annually or as required to incorporate new security standards and regulations.

2. Purpose

The purpose of this policy is to:

  • Protect sensitive information, including customer and cardholder data, from unauthorized access, disclosure, or misuse.
  • Ensure compliance with applicable laws, regulations, and standards (e.g., PCI DSS, GDPR, DPDP Act 2023).
  • Safeguard SSAI’s SaaS platform, cloud infrastructure, and customer trust.

3. Scope

This policy applies to:

  • All SSAI employees, contractors, and third-party service providers.
  • All cloud-based systems, SaaS applications, and networks used to process, store, or transmit sensitive information.
  • All forms of sensitive data, including customer data, cardholder data, and business-critical information.

4. Information Security Principles

SSAI is committed to:

  1. Confidentiality: Ensuring that sensitive information is accessible only to authorized individuals.
  2. Integrity: Protecting data from unauthorized modification or destruction.
  3. Availability: Ensuring that information and systems are available when needed.

5. SaaS and Cloud-Specific Security Measures

5.1 Cloud Infrastructure Security

  • SSAI’s platform is hosted on a secure cloud infrastructure (e.g., AWS, Azure, or GCP) with industry-standard security controls.
  • All cloud resources are configured to follow best practices, including encryption, access control, and monitoring.
  • Multi-region redundancy is implemented to ensure high availability and disaster recovery.

5.2 Data Encryption

  • All sensitive data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
  • Encryption keys are managed securely using a Key Management System (KMS) provided by the cloud provider.

5.3 Identity and Access Management (IAM)

  • Role-based access control (RBAC) is enforced to ensure least privilege access.
  • Multi-factor authentication (MFA) is mandatory for all administrative accounts.
  • Access to cloud resources is logged and monitored for anomalies.

5.4 Monitoring and Logging

  • Continuous monitoring of cloud resources is performed using tools like AWS CloudTrail, Azure Monitor, or GCP Cloud Logging.
  • Security Information and Event Management (SIEM) systems are used to analyze logs and detect threats in real time.

6. Employee Responsibilities

All employees must:

  • Handle sensitive information in accordance with its classification (e.g., Confidential, Internal Use, Public).
  • Protect passwords and accounts by using strong passwords and not sharing credentials.
  • Lock computer screens and secure workstations when unattended.
  • Avoid using SSAI resources for illegal, offensive, or unauthorized activities.
  • Report security incidents immediately to the designated incident response team.

7. Acceptable Use Policy

Employees must:

  • Use SSAI’s SaaS platform and cloud resources responsibly and for authorized purposes only.
  • Avoid installing unauthorized software or accessing unapproved cloud services.
  • Exercise caution when opening email attachments from unknown sources to prevent malware infections.
  • Ensure that portable devices (e.g., laptops, USB drives) are encrypted and secured.

8. Data Protection

8.1 Protecting Stored Data

  • Sensitive customer data is stored in encrypted cloud databases with access restricted to authorized personnel.
  • Data retention policies are enforced to ensure data is deleted when no longer required.

8.2 Protecting Data in Transit

  • All data transmitted between the SaaS platform and users is encrypted using HTTPS with TLS 1.2 or higher.
  • APIs exposed by the platform are secured with authentication tokens and encryption.

9. Access Control

  • Access to the SaaS platform and cloud resources is granted on a need-to-know basis and must be authorized by management.
  • Privileged access (e.g., admin accounts) must be restricted and monitored.
  • User accounts for terminated employees must be deactivated immediately.
  • Multi-factor authentication (MFA) is mandatory for all users accessing sensitive data.

10. Incident Response

SSAI has an established Incident Response Plan to address security breaches. Key steps include:

  1. Isolating compromised systems or cloud resources.
  2. Investigating and analyzing logs to determine the cause and impact.
  3. Notifying affected parties, including regulatory authorities and customers.
  4. Implementing corrective actions to prevent recurrence.

11. Security Awareness and Training

  • All employees must undergo regular security awareness training tailored for SaaS and cloud environments.
  • Employees handling sensitive data must acknowledge their understanding of this policy annually.
  • Third-party service providers must comply with SSAI’s security requirements.

12. Network and Cloud Security

  • Virtual Private Cloud (VPC) configurations are used to isolate sensitive resources.
  • Firewalls and security groups are configured to restrict unauthorized access.
  • All inbound and outbound traffic is monitored and logged.
  • Wireless networks used to access cloud resources must implement WPA3 encryption.

13. System and Password Policy

  • All systems must be configured according to industry best practices (e.g., NIST, ISO 27001).
  • Default vendor accounts and passwords must be changed before deployment.
  • Passwords must:
    • Be at least 12 characters long.
    • Include uppercase, lowercase, numbers, and special characters.
    • Be changed every 90 days.
  • Accounts will be locked after 5 failed login attempts.

14. Vulnerability and Patch Management

  • Vulnerability scans must be conducted quarterly and after significant system changes.
  • Security patches for cloud resources and SaaS applications must be applied within 30 days of release.
  • Exceptions must be documented and approved by management.

15. Third-Party Access

  • Third-party service providers must:
    • Sign a Service Level Agreement (SLA) acknowledging their responsibility for securing sensitive data.
    • Comply with PCI DSS and other applicable standards.
    • Undergo regular security assessments.

16. Audit and Log Review

  • Logs from cloud resources, SaaS applications, and firewalls must be reviewed regularly.
  • Audit logs must be retained for at least 3 months online and 12 months offline.
  • Suspicious activities must be escalated to the incident response team.

17. Secure Application Development

  • All SaaS applications must be developed following secure coding practices (e.g., OWASP guidelines).
  • Vulnerability assessments and penetration tests must be conducted before deployment.
  • Developers must address common vulnerabilities, including:
    • SQL injection.
    • Cross-site scripting (XSS).
    • Broken authentication.

18. Anti-Virus and Malware Protection

  • All endpoints accessing the SaaS platform must run up-to-date anti-virus software.
  • Suspicious emails and attachments must be reported and deleted.

19. Disposal of Data

  • Data no longer required must be securely deleted from cloud storage using secure deletion methods (e.g., AWS S3 Object Lock, Azure Blob Soft Delete).
  • Hard copies of sensitive data must be shredded or incinerated.

20. Compliance and Disciplinary Action

  • Non-compliance with this policy will result in disciplinary action, up to and including termination.
  • Claims of ignorance or good intentions will not be accepted as excuses for violations.

21. Review and Updates

This policy will be reviewed annually or as required to address changes in regulations, technology, or business needs.