Incident Response

Our process for detecting, responding to, and recovering from security incidents with transparent communication.

Incident Response Philosophy

Impact Suite takes security incidents seriously and maintains a comprehensive, tested incident response program designed to rapidly detect, contain, investigate, and remediate security events while maintaining transparent communication with affected educational agencies.

Our incident response program is:

  • Documented: Written procedures maintained in our Thoropass compliance platform

  • Tested: Annual tabletop exercises to validate effectiveness

  • Transparent: Clear notification timelines and communication procedures

  • Continuously Improving: Post-incident reviews to strengthen our defenses


How We Detect Security Incidents

Early detection is critical to minimizing the impact of security incidents. Impact Suite employs multiple detection methods operating 24/7:

Automated Monitoring:

  • AWS CloudWatch: 24/7 monitoring of infrastructure including:

    • Unusual access patterns or failed authentication attempts

    • Unexpected changes to security configurations

    • Resource utilization anomalies indicating potential compromise

    • Application errors or system failures

    • Network traffic anomalies

Security Event Monitoring:

  • Authentication logs (successful and failed login attempts)

  • Privileged account activity

  • Data access and modification patterns

  • Administrative actions and configuration changes

  • API usage and integration activities

Anomaly Detection:

  • Abnormal login locations or times

  • Excessive failed authentication attempts

  • Unusual data access volumes or patterns

  • Unauthorized privilege escalation attempts

  • Suspicious database queries

Real-Time Alerting:

  • Automated alerts for critical security events

  • Immediate notification to security team via multiple channels

  • Escalation procedures ensuring rapid response

  • On-call rotation for 24/7 coverage

Human Reporting:

  • Employees trained to report suspected security incidents

  • Multiple reporting channels (Slack, direct contact, anonymous)

  • Customer and user reports of suspicious activity

  • Security researchers and external notifications


Incident Response Team

Impact Suite maintains a cross-functional incident response team with clearly defined roles and responsibilities:

Incident Commander: Kris Kofoed, Compliance Officer

  • Overall incident coordination and decision-making authority

  • Primary point of contact for external communications

  • Authorization for escalation and resource allocation

  • Ensures compliance with notification requirements

Security Officer: Zach Johnson, VP of Product & Safety Officer

  • Technical incident investigation and analysis

  • Security containment and remediation activities

  • Forensic analysis and evidence preservation

  • Coordination with engineering team

Engineering Team: Thane Tyler, Director of Engineering

  • Technical response and system remediation

  • Log analysis and vulnerability assessment

  • Implementation of security controls and patches

  • System restoration and recovery activities

Executive Leadership:

  • Strategic decision-making for significant incidents

  • Resource allocation and external communications approval

  • Legal and regulatory notification decisions

Legal Counsel:

  • Legal compliance and regulatory requirements

  • Review of notifications and external communications

  • Coordination with law enforcement if necessary

  • Assessment of legal obligations and liabilities


Incident Response Process

Our incident response follows a structured, four-phase approach:

Phase 1: Detection & Initial Response (0-2 Hours)

Immediate Actions:

  • Notification to Incident Commander and Security Officer

  • Preliminary assessment to confirm incident

  • Initial classification of incident type and severity

  • Activation of response team based on severity

  • Documentation of incident details in tracking system

Severity Classification:

  • Critical: Confirmed breach of PII or PHI, active intrusion, significant service disruption

  • High: Potential breach, elevated security events, service degradation

  • Medium: Security events requiring investigation, no confirmed breach

  • Low: Minor security anomalies, policy violations

Phase 2: Containment (2-24 Hours)

Containment Actions:

  • Immediate actions to prevent further unauthorized access or data exposure

  • Isolation of affected systems or accounts

  • Preservation of evidence for investigation

  • Implementation of temporary security controls

  • Enhanced monitoring of related systems

Impact Assessment:

  • What data was accessed or potentially compromised?

  • How many individuals or educational agencies affected?

  • Duration of unauthorized access?

  • Method of compromise or attack vector?

  • Current threat status and ongoing risk?

Phase 3: Investigation & Eradication

Investigation Activities:

  • Forensic Analysis:

    • Detailed review of audit logs, access records, and system logs

    • Timeline reconstruction of incident events

    • Root cause identification

    • Extent of data access or exfiltration

    • Identification of vulnerabilities exploited

  • Evidence Preservation:

    • Secure collection of system logs and audit trails

    • Network traffic captures where applicable

    • Affected system images for detailed analysis

    • Documentation for potential legal proceedings

Eradication:

  • Removal of threat actor access

  • Elimination of malicious code or unauthorized changes

  • Patching of vulnerabilities that enabled incident

  • Implementation of enhanced security controls

  • Validation that threat has been completely eliminated

Phase 4: Recovery & Post-Incident Activities

Recovery:

  • System restoration from secure backups if necessary

  • Gradual restoration of services with enhanced monitoring

  • Validation of security control effectiveness

  • Return to normal operations with lessons learned implemented

Post-Incident Review:

  • Comprehensive post-mortem within 30 days

  • Timeline analysis and response evaluation

  • Root cause analysis

  • Identification of improvements needed

  • Documentation of lessons learned

  • Implementation of security enhancements


Notification Procedures & Timeline

72-Hour Notification: Impact Suite will notify affected educational agencies within seventy-two (72) hours of confirming a security incident that involves personally identifiable information or student data.

Notification Includes:

  • Incident Description: What happened and how it occurred

  • Date and Time: When the incident occurred and was discovered

  • Type of Data Affected: Categories of PII or student data involved

  • Number of Affected Individuals: Approximate number of students, staff, or families impacted

  • Impact Assessment: Potential risk or harm to affected individuals

  • Containment Actions: Steps taken to contain and remediate the incident

  • Preventive Measures: Enhanced security controls implemented

  • Point of Contact: Kris Kofoed, Compliance Officer (kris.kofoed@impactsuite.com)

  • Recommended Actions: Guidance for educational agency response

  • Timeline: Estimated timeline for complete remediation

Who Gets Notified:

  • Affected Educational Agencies: Designated security/compliance contacts

  • Affected Individuals: Students, parents, staff (when required by law)

  • Regulatory Authorities: State education agencies, HHS (for HIPAA breaches), as required

  • Law Enforcement: When criminal activity is suspected

Communication Method:

  • Email to designated contacts

  • Follow-up telephone call for significant incidents

  • Secure portal access for detailed incident information

  • Regular status updates throughout incident response


Recovery & Business Continuity

Backup & Restoration:

  • Daily automated backups (30-day retention)

  • Geographically distributed backup storage

  • Encrypted backups with access controls

  • Regular backup integrity testing

  • Documented restoration procedures

High Availability Architecture:

  • 99.9% uptime SLA

  • Redundant infrastructure for resilience

  • Multi-region AWS architecture

  • Automated failover capabilities

  • Load balancing for scalability

Recovery Time:

  • Recovery Time Objective (RTO): 4 hours for critical systems

  • Recovery Point Objective (RPO): 24 hours (maximum data loss)

  • Prioritized restoration of educational agency access

  • Communication during extended outages


Incident Response Testing

Annual Tabletop Exercises:

  • Simulation of various incident scenarios

  • Participation by entire response team

  • Testing of communication procedures

  • Validation of response times and processes

  • Identification of gaps or improvement areas

What We Test:

  • Detection capabilities and alerting

  • Team coordination and communication

  • Notification procedures and timelines

  • Technical response and remediation

  • Documentation and evidence collection

  • Recovery procedures

Continuous Improvement:

  • Test results documented in Thoropass

  • Action items tracked with assigned ownership

  • Incident response plan updated based on findings

  • Team training enhanced to address gaps

  • New threats and scenarios incorporated


Incident History

Current Status: Impact Suite has not experienced any confirmed security breaches involving unauthorized access to, or disclosure of, student data or personally identifiable information.

Transparency Commitment: In the event of a security incident, we will:

  • Update this page with anonymized incident summary

  • Share lessons learned with educational agency partners

  • Document preventive measures implemented

  • Maintain incident history for transparency


Educational Agency Responsibilities

Help Us Protect Your Data:

Secure Your Access:

  • Use strong, unique passwords

  • Enable multi-factor authentication

  • Don't share login credentials

  • Report suspicious emails or login attempts

  • Keep contact information current

Report Suspicious Activity:

  • Unusual access patterns

  • Unexpected data exports

  • Suspicious emails claiming to be from Impact Suite

  • Unauthorized users or access requests

  • Any potential security concerns

Maintain Current Contacts:

  • Ensure we have current compliance officer contact information

  • Provide after-hours emergency contacts

  • Update contact information when personnel changes occur

  • Designate backup contacts for notifications

Participate in Incident Response:

  • Respond promptly to incident notifications

  • Provide information needed for investigation

  • Coordinate student/parent notifications as needed

  • Participate in post-incident reviews


Report a Security Incident

If you suspect a security incident involving your data:

Primary Contact: Kris Kofoed, Compliance Officer kris.kofoed@impactsuite.com [Phone Number]

Secondary Contact: Zach Johnson, VP of Product & Safety Officer zach@impactsuite.com [Phone Number]

Include in Your Report:

  • Your organization name and contact information

  • Description of the suspected incident

  • Date/time you discovered the issue

  • Any relevant details (affected users, unusual activity, etc.)

  • Your contact information for follow-up

We will respond within 2 hours of receiving your report.

‹ Third-Party Management

Data Transition ›