Chapter I - Health and Safety

Part 4.0 Privacy and School Safety

Section 4.8 Technology Security Policy

Subsection 4.8.1 Remediation Plan

I. Key Definitions 

An incident is defined as an indication that data may have been lost, stolen, accessed or acquired without authorization.

A Breach is defined as an incident that has been confirmed.

APA categorizes data breaches into 3 primary categories:

  • Internal Risk - An incident brought upon the organization based on the direct actions of a student or staff member. 
  • Employee Risk - An incident that occurs as a result of lack of employee training or malicious employee action.
  • External Risk - An incident that comes about as a result of outside forces. 

Risk Response Teams

Internal Risk Response

  • APA has an appointed a Data Security Committee that includes the following individuals  
    • IT Director 
    • Data Privacy Manager
    • Data Stewards (Admin at campus) 
    • Business Manager 
    • A member of the Governing Board

Employee Risk 

  • APA has an appointed Data Security Committee Committee that includes the following individuals 
    • IT Director 
    • Data Privacy Manager 
    • Business Manager 
    • HR Partner 
    • Professional Development Team Member 

External Risk 

  • APA has an appointed Data Security Committee that includes the following individuals 
    • IT Director 
    • Data Privacy Manager 
    • IT Security Manager

II. Remediation Policies by Incident Type

A. Internal Risk 

  1. In order to mitigate against Internal Risk, it is critical that our teams establish and maintain security practices in line with industry standards and guidelines from the USBE in regard to data security and data privacy. 
  2. Internal risk mitigation is based on a plan of response when an industry-standard or USBE standard is violated. Remediation involves the following steps for internal risks. It is not required that these steps all happen one at a time; they are often conducted in conjunction or simultaneously with other steps.
  3. An investigation is conducted by a member of the Data Security Committee - Collection of evidence and all information available in regards to the incident. 
    1. This should include interviews of those affected
    2. This should including interviews of those that reported or discovered the incident
  4. Immediate action to close or remediate breach that doesn't require an immediate policy change 
    1. For example, the removal or suspension of user access that was responsible
    2. Temporary suspension of software or program that was identified in the investigation.
  5. Summary of investigation prepared by a member of the Data Security Committee.
  6. Meeting of the Data Security Committee to review the findings of the investigation 
    1. In this meeting, a Plan of Action is put into place that covers the following items 
      1. Communication to those that were affected 
      2. Reporting/Communication to any required entities 
      3. Review of short-term steps taken to close the immediate breach. 
      4. Review of any resources needed to make permanent changes to address the breach 
      5. Review of any disciplinary action recommended for staff or student 

 B. Employee Risk 

Employee risk remediation is focused on prevention rather than reactive planning. It is the policy at APA that at a minimum once per year all staff receive data security and data privacy training. This is considered part of their Professional Development requirements each year. 

The curriculum for this training is updated annually by the IT Director and the Data Privacy Manager to ensure compliance with State and Federal guidelines.

In the event of an incident or confirmed breach involving employee action, the steps are similar to Internal and External risks however a member of the HR team is involved in all steps. 

  1. An investigation is conducted by a member of the Data Security Committee in partnership with an HR Team member - Collection of evidence and all information available in regards to the incident. 
  2. This should include interviews of those affected 
  3. This should including interviews of those that reported or discovered the incident 
  4. Immediate action to close or remediate breach that doesn't require an immediate policy change
    1. For example, the removal or suspension of user access that was responsible 
    2. Temporary suspension of software or program that was identified in the investigation.
    3. Summary of investigation prepared by a member of the Data Security Committee.
    4. Meeting of the Data Security Committee to review the findings of the investigation 
    5. In this meeting, a Plan of Action is put into place that covers the following items 
  • Communication to those that were affected 
  • Reporting/Communication to any required entities 
  • Review of short-term steps taken to close the immediate breach. 
  • Review of any resources needed to make permanent changes to address the breach 
  • Review of any disciplinary action recommended for staff or student 

C. External Risk 

External risk functions the same as the other categories with the following exceptions

  1. Due to the most likely highly technical nature of these risks specialized IT staff is often involved immediately and investigations are conducted as a team rather than as an individual 
  2. External risk is one of the most expensive items to remediate or prevent and as such it is reviewed on a quarterly basis to ensure that we have the required ongoing funding for mitigating these risks