(Compliant with NYSED Education Law §2-d and NIST Cybersecurity Framework v1.1)
1. Implementation of Contract Requirements
DCACLab implements data security and privacy contract requirements through a comprehensive technical framework that ensures continuous compliance throughout the contract lifecycle. Our core security infrastructure utilizes SSL/TLS encryption for all data transmission and server access, combined with private database configurations protected by multi-factor authentication systems. These technical controls are maintained and monitored continuously to ensure data protection standards are met throughout the contract duration. Upon contract transition and termination, we provide secure data destruction upon request, including complete data purging from all systems to ensure no residual data remains in our infrastructure.
2. Safeguards to Protect PII
- Administrative Safeguards:
- Access to sensitive data is limited to authorized personnel only.
- Internal policies govern data handling and privacy practices.
- Operational Safeguards:
- Regular automated backups.
- Server IP is not publicly exposed, reducing risk of targeted attacks.
- Internal-only access to databases (no public IP address for DB access).
- Technical Safeguards:
- Protected by advanced edge security including DDoS protection, WAF, and secure TLS encryption.
- Encrypted data transmission (HTTPS).
- Database access with firewall restrictions.
3. Training on Privacy Laws
DCACLab is operated by a small, highly skilled team, with leadership that includes DevOps engineering expertise. The organization maintains ongoing training on privacy and data protection regulations through professional development and consulting work with other technology firms. While DCACLab does not yet have a formal training program due to its size, the team's hands-on experience ensures that best practices around PII confidentiality—especially those aligned with FERPA and Ed Law §2-d—are understood and applied in operations.
4. Contracting Requirements
At DCACLab, data access is strictly limited. Only authorized leadership with DevOps responsibilities has access to production databases. No other employees or subcontractors are granted access to systems containing Personally Identifiable Information (PII). All personnel with database access adhere to internal security protocols and strict confidentiality standards. This tight access control reflects our strong commitment to data privacy and security.
5. Incident Management
DCACLab has a clear process for managing data privacy and security incidents involving PII. Systems are monitored for unusual activity, and any incident is promptly investigated and contained. If a breach is confirmed, we notify affected parties and relevant authorities in accordance with applicable laws (e.g., FERPA, Ed Law §2-d). All incidents are documented, and preventive measures are implemented to avoid recurrence.
6. Data Transition Procedures
When data is no longer needed to meet contractual obligations, DCACLab will securely transfer all relevant data back to the Educational Agency (EA) using encrypted methods such as secure file transfer protocols (SFTP) or encrypted cloud storage, upon EA request. After successful transfer and confirmation from the EA, all copies of the data held by DCACLab are securely deleted from our systems to ensure no residual data remains.
7. Secure Destruction and Certification
DCACLab follows secure data destruction practices to ensure that all data, including PII, is permanently and irreversibly deleted when no longer needed. Data deletion is performed using industry-standard methods such as secure erasure of electronic files and overwriting storage locations to prevent recovery. Upon request, DCACLab can provide confirmation of data destruction to the Educational Agency (EA) in the form of a written certification or statement verifying that the data has been securely and completely removed from our systems.
8. Alignment with EA Policies
DCACLab works closely with Educational Agencies to understand and align with their applicable data privacy and security policies. We review contractual agreements and any specific requirements provided by the EA to ensure our practices meet or exceed their standards. Additionally, we maintain open communication to address any concerns and update our policies as needed to stay compliant.
9. NIST Cybersecurity Framework Alignment
- Identify:
-
Asset Management (ID.AM):
DCACLab maintains an up-to-date inventory of key assets, including the database containing PII, servers, and administrator access. Asset importance is assessed based on sensitivity and business function. Access is limited to essential personnel, and devices with access to PII are securely managed. While our process is streamlined due to team size, it is regularly reviewed and aligned with our risk management priorities.
-
Business Environment (ID.BE):
DCACLab’s mission is to provide a secure and engaging virtual electronics lab for educational use. We understand the needs of our users—primarily educational institutions and students—and prioritize data protection accordingly. Cybersecurity responsibilities are assigned based on our small team structure, and risk decisions are guided by our commitment to safeguarding educational data and complying with applicable privacy laws.
-
Governance (ID.GV):
DCACLab follows internal procedures to ensure compliance with regulatory and legal requirements, including FERPA and Ed Law §2-d, where applicable. These obligations inform our cybersecurity and data governance practices. While our team is small, risk management and operational decisions are made with a clear understanding of their compliance impact.
-
Risk Assessment (ID.RA):
DCACLab regularly evaluates potential cybersecurity risks to its core operations, particularly related to the protection of PII stored in our database. We assess the potential impact of data breaches or service disruptions on our users, systems, and reputation, and prioritize safeguards accordingly. Our approach is practical and focused, given our scale, but remains aligned with best practices in risk awareness and mitigation.
-
Risk Management Strategy (ID.RM):
DCACLab’s risk management approach prioritizes the protection of sensitive data, particularly PII in our database. Our operational decisions are guided by a low risk tolerance for data breaches or unauthorized access. Given our size, we take a focused and practical approach, applying strong access controls and secure infrastructure to minimize risk while staying aligned with our technical and business constraints.
-
Supply Chain Risk Management (ID.SC):
DCACLab uses a minimal set of trusted third-party services (e.g., cloud hosting, payment processors), selected based on their security reputation and compliance standards. We assess supply chain risks by choosing vendors with strong security practices and established reliability. While our vendor list is small, we regularly review it to ensure alignment with our risk tolerance and operational needs.
- Protect:
-
PR.AC (Identity Management, Authentication and Access Control):
DCACLab restricts access to systems and data—especially the database containing PII—to authorized personnel only. Strong authentication methods are in place, and administrative access is limited and closely managed. No subcontractors or external users have access to sensitive systems.
-
PR.AT (Awareness and Training):
At DCACLab, personnel responsible for system operations and security receive ongoing training to stay up-to-date with cybersecurity threats and best practices. While other team members currently do not receive specialized cybersecurity training due to the small size and defined roles of our team, the organization recognizes the importance of expanding awareness and plans to introduce broader training as the team grows.
-
PR.DS (Data Security):
DCACLab protects the confidentiality, integrity, and availability of data—especially PII stored in our database—through strict access controls. Server access is secured via SSH with strong authentication, and backups are maintained securely on AWS with multi-factor authentication enabled. These measures, along with encryption and regular reviews, align with our risk strategy and ensure robust data protection.
-
PR.IP (Information Protection Processes and Procedures):
DCACLab maintains clear security processes and procedures that define roles, responsibilities, and management commitment to protecting information systems and assets. We follow industry best practices to ensure coordination and consistent application of security measures aligned with our organizational goals and risk management strategy.
-
PR.MA (Maintenance):
DCACLab performs maintenance and updates on its information systems according to established procedures to ensure continued security and functionality. Regular software updates, patching, and system health checks are conducted to minimize vulnerabilities and maintain system integrity.
-
PR.PT (Protective Technology):
DCACLab manages technical security solutions such as firewalls, encryption, and access controls to ensure the security and resilience of systems and assets. These technologies are configured and maintained following industry best practices and practical security principles to protect sensitive data and maintain system availability.
- Detect:
-
Anomalies and Events (DE.AE):
DCACLab uses Wazuh to automatically detect anomalous activities across systems. Alerts generated are promptly assessed to understand their potential impact and respond as needed.
-
Security Continuous Monitoring (DE.CM):
While DCACLab does not currently have automated continuous monitoring systems, we conduct periodic manual checks of critical systems and logs to identify cybersecurity events and verify the effectiveness of existing protections.
-
Detection Processes (DE.DP):
Detection processes and procedures at DCACLab are documented and include manual log reviews and incident awareness practices. These processes are tested periodically to ensure the team remains vigilant to potential security events.
- Respond:
-
RS.RP (Response Planning):
DCACLab maintains documented response procedures to guide actions in the event of a cybersecurity incident. These processes ensure timely and coordinated handling of detected issues.
-
RS.CO (Communications):
In the event of a cybersecurity incident, DCACLab coordinates response efforts internally and, when necessary, communicates with external stakeholders such as affected users or educational partners. We are prepared to engage external support if legally required.
-
RS.AN (Analysis):
When an incident occurs, DCACLab conducts a structured analysis using logs and alerts from Wazuh to understand the source, impact, and scope of the event. This analysis supports effective containment and recovery.
-
RS.MI (Mitigation):
Mitigation actions are taken promptly to limit the scope and impact of incidents. This includes isolating affected components, applying patches or configuration changes, and restoring affected services.
-
RS.IM (Improvements):
After any incident, DCACLab reviews the event to identify root causes and apply lessons learned. We use this feedback to update our procedures and improve future response effectiveness.
- Recover:
-
RC.RP (Recovery Planning):
DCACLab maintains recovery procedures to ensure systems and data can be restored promptly in the event of a cybersecurity incident. Regular backups and tested restoration processes help minimize downtime and data loss.
-
RC.IM (Improvements):
Recovery processes are continuously improved by analyzing incident outcomes and integrating lessons learned into future recovery planning and procedures.
-
RC.CO (Communications):
During recovery efforts, DCACLab coordinates with relevant internal and external stakeholders, including hosting providers or affected partners, to ensure a smooth and transparent restoration process.
Contact Information
If you have any questions about our Data Privacy and Security Policy, please contact us at [email protected].