Training & Awareness

How we ensure all personnel understand their obligations to protect student data through comprehensive training programs.

Our Training Philosophy

Impact Suite recognizes that technology alone cannot protect student data—our people are our first line of defense. Every employee and contractor receives comprehensive training on federal and state privacy laws, security best practices, and their specific responsibilities in protecting the sensitive information entrusted to us by educational agencies.

Key Principles:

  • Universal Training: All personnel receive baseline privacy and security training

  • Role-Based Content: Additional specialized training based on job responsibilities and data access

  • Regular Reinforcement: Annual refresher training to maintain awareness

  • Tracked Completion: All training completion monitored and documented

  • Continuous Updates: Training content updated to reflect emerging threats and regulatory changes

Comprehensive Training Program

Our multi-layered training program addresses federal regulations, industry best practices, and emerging security threats through a structured approach delivered at onboarding and reinforced annually.

Training Schedule

Onboarding (Day 1): All new employees and contractors must complete required training before receiving access to any systems containing student data or personally identifiable information. This ensures every team member understands their obligations from day one.

Annual Recertification: All personnel complete refresher training annually to:

  • Maintain current knowledge of regulatory requirements

  • Learn about evolving security threats and best practices

  • Review updated policies and procedures

  • Reinforce critical concepts and obligations

Triggered Training: Additional training is required when:

  • Job responsibilities change significantly

  • New systems or processes are implemented

  • Security incidents reveal training gaps

  • Regulatory requirements change

  • Access levels are modified

FERPA & COPPA Training (Internally Managed)

All employees receive comprehensive training on the federal laws governing educational privacy and children's online privacy protection.

FERPA (Family Educational Rights and Privacy Act)

Content Coverage:

Understanding Educational Records:

  • Definition and scope of educational records under 34 CFR Part 99

  • What constitutes Personally Identifiable Information (PII) from education records

  • Distinction between educational records and other student information

  • Directory information and its special handling requirements

Role as "School Official":

  • Impact Suite's role as a school official with legitimate educational interest

  • Responsibilities and limitations of this designation

  • Appropriate access and use of educational records

  • Maintaining the educational purpose requirement

Consent and Disclosure Requirements:

  • When consent is required for disclosure

  • Exceptions to consent requirements

  • Proper authorization procedures

  • Annual notification requirements

Parent and Student Rights:

  • Parents' rights to access and request amendment of records

  • Transfer of rights to students at age 18 or college enrollment

  • Procedures for handling access requests

  • Responding to requests for record amendments

Consequences of Violations:

  • Individual and organizational consequences

  • Potential criminal penalties

  • Loss of federal funding implications

  • Professional and reputational impact

COPPA (Children's Online Privacy Protection Act)

Content Coverage:

Core Requirements:

  • Requirements under 15 U.S.C. § 6501-6506

  • Special protections for children under 13

  • Verifiable parental consent obligations

  • School consent acting as parent consent under COPPA

Restrictions on Data Collection:

  • What data can and cannot be collected from minors

  • Prohibition on requiring more information than necessary

  • Limitations on data use and sharing

  • Retention and deletion requirements

Prohibited Uses:

  • No use of student data for advertising or marketing

  • No sale or rental of student information

  • No building of profiles for non-educational purposes

  • No behavioral tracking outside educational context

Safe Harbor Provisions:

  • School consent provisions under COPPA

  • When educational agencies can provide consent

  • Limitations on school-provided consent

  • Obligations even with school consent

Educational Record Confidentiality

Proper Handling Procedures:

  • Classification of information by sensitivity

  • Storage requirements (encrypted, access-controlled)

  • Transmission security (encrypted channels only)

  • Appropriate sharing within authorized scope

  • Documentation of disclosure when required

Incident Reporting:

  • Recognizing potential privacy violations

  • Mandatory immediate reporting procedures

  • Internal escalation paths (Security Officer, Compliance Officer)

  • Timeline expectations for reporting

  • Confidentiality during investigations

  • Protection for good-faith reporting


HIPAA & Compliance Training (Thoropass Platform)

Our Thoropass compliance platform delivers comprehensive training on health information privacy, state-specific requirements, and general security practices.

HIPAA Requirements

Understanding PHI:

  • Definition of Protected Health Information (PHI)

  • What student health information qualifies as PHI

  • Distinction between educational records and health records

  • Intersection of FERPA and HIPAA

Minimum Necessary Standard:

  • Accessing only the PHI necessary for job function

  • Limiting disclosure to minimum necessary

  • Reasonable efforts to limit access

  • Role-based access controls

Business Associate Obligations:

  • Our obligations under 45 CFR §§ 164.308, 164.310, 164.312, 164.316

  • Required safeguards (administrative, physical, technical)

  • Subcontractor management requirements

  • Breach notification obligations under HITECH Act

Security Rule Requirements:

  • Administrative safeguards (policies, training, access management)

  • Physical safeguards (facility access, workstation security, device controls)

  • Technical safeguards (access controls, audit controls, encryption)

  • Implementation specifications and requirements

Privacy Rule Requirements:

  • Use and disclosure limitations

  • Individual rights (access, amendment, accounting)

  • Notice of privacy practices

  • Minimum necessary determinations

Breach Notification:

  • Definition of a breach under HIPAA

  • 60-day notification requirement

  • Notification to covered entity (educational agency)

  • Individual notification requirements

  • Media and HHS notification thresholds


State-Specific Privacy Laws

Coverage Includes:

California:

  • Student Online Personal Information Protection Act (SOPIPA)

  • AB 1584 (Student Privacy)

  • Restrictions on use of student data

  • Deletion requirements

  • Prohibition on targeted advertising

New York:

  • Education Law 2-d requirements

  • Parents' Bill of Rights

  • Supplemental agreements and certifications

  • Data encryption requirements

  • Specific breach notification timelines

Ohio:

  • Ohio Student Data Privacy laws

  • Data minimization requirements

  • Parental access rights

  • Vendor security requirements

  • Background check requirements for employees

Other States:

  • State-by-state variations in requirements

  • Consent and notification differences

  • Breach notification timeline variations

  • Local educational agency policy requirements

General Security & Privacy

Impact Suite Policies:

  • Comprehensive security and privacy policies

  • Acceptable Use Policy requirements

  • Code of conduct expectations

  • Disciplinary procedures for violations

Data Classification and Handling:

  • Identifying sensitive data types

  • Appropriate handling based on classification

  • Secure storage requirements

  • Transmission and sharing protocols

Information Security Principles:

  • Confidentiality, Integrity, Availability (CIA triad)

  • Defense in depth approach

  • Least privilege access

  • Separation of duties

Privacy by Design:

  • Building privacy into systems and processes

  • Privacy as default setting

  • Proactive not reactive approach

  • Privacy embedded into design

Data Minimization:

  • Collecting only necessary data

  • Limiting retention to required periods

  • Secure deletion when no longer needed

  • Regular data audits

Security Awareness Training

All personnel receive comprehensive security awareness training covering the most common threats and vulnerabilities that could compromise student data.

Phishing & Social Engineering

Content Coverage:

Recognizing Phishing:

  • Common phishing email indicators (urgent language, suspicious links, requests for credentials)

  • Spear phishing and targeted attacks

  • SMS phishing (smishing) and voice phishing (vishing)

  • Business Email Compromise (BEC) attacks

Social Engineering Tactics:

  • Pretexting and impersonation

  • Authority and urgency manipulation

  • Trust exploitation

  • Tailgating and physical social engineering

Response Procedures:

  • Never clicking suspicious links or attachments

  • Verification procedures for unusual requests

  • Reporting suspicious communications immediately

  • Using designated reporting channels

Password Security

Best Practices:

Strong Password Creation:

  • Length over complexity (passphrases)

  • Unique passwords for each system

  • Avoiding personal information

  • No password reuse across systems

Password Manager Usage:

  • Benefits of password managers

  • Impact Suite-approved tools

  • Secure master password practices

  • Syncing across devices securely

Multi-Factor Authentication (MFA):

  • Why MFA is critical

  • Types of second factors (TOTP, SMS, hardware keys)

  • Setting up MFA on all accounts

  • Recovery procedures

Password Rotation:

  • When to change passwords (compromise, suspicion, scheduled)

  • Creating new strong passwords (not incrementing)

  • Updating across all systems

Credential Sharing Prohibition:

  • Never share credentials with anyone

  • Each person needs unique account

  • Accountability and audit trail requirements

  • Disciplinary consequences for sharing

Secure Data Handling

Training Topics:

Data Classification:

  • Public, Internal, Confidential, Restricted classifications

  • Student PII as Restricted data

  • PHI handling requirements

  • Proper labeling and marking

Encryption Requirements:

  • When encryption is required

  • Approved encryption tools

  • Encrypted email for sensitive data

  • Encrypted file storage and transfer

Secure Transmission:

  • Never emailing unencrypted student data

  • Using approved secure file transfer methods

  • SFTP, secure portals, encrypted email

  • Verifying recipient before sending

Proper Storage:

  • Only storing data in approved systems

  • No local storage of student data on personal devices

  • Cloud storage must be approved and encrypted

  • Regular data inventory and cleanup

Clean Desk Policy:

  • No sensitive information left visible

  • Locking screens when leaving workstation

  • Secure disposal of printed materials

  • Visitor awareness in workspace

Secure Disposal:

  • Shredding paper documents

  • Secure deletion of electronic files

  • Device sanitization before disposal or reuse

  • Certificate of destruction for media

Physical Security

Training Coverage:

Device Security:

  • Laptop encryption (required for all devices)

  • Screen lock when unattended

  • Theft prevention (cables, awareness)

  • Lost or stolen device reporting immediately

Workspace Security:

  • Locking doors and cabinets

  • Visitor management and escorting

  • Secure areas access controls

  • Shoulder surfing awareness

Remote Work Security:

  • Securing home office space

  • Family member access restrictions

  • Public space work precautions

  • VPN usage for remote access

Lost or Stolen Devices:

  • Immediate reporting procedures (within 1 hour)

  • Remote wipe capabilities

  • Incident investigation

  • Replacement procedures

Mobile Device Security

Requirements:

Device Encryption:

  • Full disk encryption enabled

  • iOS and Android encryption settings

  • Backup encryption

  • Remote wipe enrollment

App Security:

  • Only approved apps for work data

  • Regular app updates

  • Permission review and management

  • No unauthorized apps with access to data

Public Wi-Fi Risks:

  • Never accessing sensitive data on public Wi-Fi without VPN

  • Man-in-the-middle attack risks

  • VPN usage requirements

  • Mobile hotspot as alternative

BYOD Policies:

  • Bring Your Own Device (BYOD) requirements

  • Separation of personal and work data

  • Mobile Device Management (MDM) enrollment

  • Acceptable use expectations

Role-Based Specialized Training

In addition to universal baseline training, personnel receive specialized training based on their roles and data access levels.

Engineering & Development Teams

Enhanced Training Includes:

Secure Coding Practices:

  • OWASP Top 10 vulnerabilities

  • Input validation and sanitization

  • SQL injection prevention

  • Cross-site scripting (XSS) prevention

  • Authentication and session management

  • Secure API development

  • Error handling and logging

Privacy by Design:

  • Privacy considerations in system design

  • Data minimization in code

  • Purpose limitation in features

  • User consent management

  • Privacy impact assessments

Encryption Implementation:

  • When and how to encrypt data

  • Proper key management

  • Encryption libraries and best practices

  • Avoiding common encryption mistakes

Code Review:

  • Security-focused code review

  • Peer review requirements

  • Automated security testing

  • Vulnerability remediation

Secure Development Lifecycle:

  • Security requirements gathering

  • Threat modeling

  • Security testing integration

  • Deployment security

Customer Support Personnel

Enhanced Training Includes:

Identity Verification:

  • Multi-step verification before disclosing information

  • Questions to verify caller/requester identity

  • Red flags for social engineering

  • When to escalate to supervisor

Appropriate Data Disclosure:

  • What information can be disclosed to whom

  • Student data access restrictions

  • Authentication requirements

  • Documentation of disclosure

Handling Sensitive Information:

  • Secure communication channels for support

  • No sensitive data in email unless encrypted

  • Ticketing system security

  • Screen sharing precautions

Escalation Procedures:

  • Recognizing security concerns in support requests

  • When to involve security team

  • Unusual request patterns

  • Suspected data breach reporting

Sales & Business Development

Enhanced Training Includes:

Accurate Representation:

  • Truthful representation of data practices

  • No overpromising on security capabilities

  • Referring technical questions appropriately

  • Compliance with marketing regulations

Prohibited Commitments:

  • Cannot promise custom data handling without approval

  • Cannot commit to non-standard security measures

  • No agreements on data practices without legal review

  • Escalation path for custom requests

Security as Competitive Advantage:

  • How to discuss security positively

  • Certifications and compliance to highlight

  • Appropriate references to security features

  • When to involve compliance team

RFP/Security Questionnaire Response:

  • Understanding common security questions

  • Resources available for responses

  • Compliance team involvement

  • Consistency in messaging

Administrative Personnel

Enhanced Training Includes:

Access Control Management:

  • Provisioning and deprovisioning procedures

  • Least privilege principle application

  • Role-based access assignment

  • Access request verification

Audit Trail Maintenance:

  • Importance of audit logs

  • What actions are logged

  • Log review procedures

  • Retention requirements

Vendor Management:

  • Security considerations in vendor selection

  • Required security questionnaires

  • Contract review for data clauses

  • Ongoing vendor monitoring

Training Tracking & Accountability

All training completion is tracked through our Thoropass compliance management platform, ensuring accountability and providing audit trails for compliance verification.

Completion Monitoring

Thoropass Platform Tracking

  • Automated enrollment for new hires based on role

  • Training assignment and scheduling

  • Progress tracking with dashboards

  • Automated reminder emails for overdue training

  • Completion certificates automatically generated

  • Permanent audit trail maintained

Access Control Integration: Access to systems containing student data or PII is contingent upon:

  • Current training completion status (within last 12 months)

  • Annual recertification being up to date

  • Role-appropriate specialized training completed

  • Acknowledgment of policies and procedures signed

Compliance Officer Oversight: Kris Kofoed, Compliance Officer, monitors:

  • Training completion rates across the organization

  • Overdue training and follow-up actions

  • Training effectiveness measures and feedback

  • Updates needed based on incidents or regulatory changes

  • Compliance with contractual training requirements

Documentation & Attestation

Training Records Include:

  • Employee or contractor name and role

  • Training modules assigned and completed

  • Completion dates and timestamps

  • Test scores where applicable

  • Time spent in training materials

  • Certificate of completion

  • Digital acknowledgment signatures

Record Retention: Training records are maintained for:

  • Duration of employment/engagement plus six (6) years (HIPAA requirement)

  • Available for audit and compliance verification purposes

  • Stored securely in Thoropass platform with access controls

  • Accessible to authorized personnel only (Compliance Officer, HR, management)


Employee Acknowledgments

All personnel acknowledge understanding of:

  • Federal and state privacy and security obligations (FERPA, COPPA, HIPAA)

  • Impact Suite policies and procedures

  • Consequences of violations (disciplinary action up to termination)

  • Ongoing obligation to maintain confidentiality

  • Requirement to report incidents, violations, and concerns immediately

  • Continuing obligation after employment ends

Acknowledgment Process:

  • Electronic signature in Thoropass

  • Annual re-acknowledgment with training recertification

  • New acknowledgment when policies are materially updated

  • Stored with training records for audit purposes

Binding Confidentiality Obligations

In addition to training, all Impact Suite employees and contractors sign legally binding confidentiality agreements as part of their employment or engagement contracts.

Employment/Contractor Agreements Include:

Data Protection Commitments:

  • Explicit requirements to maintain confidentiality of all PII, Student Data, and PHI

  • Adherence to FERPA, COPPA, HIPAA, and state-specific student data privacy regulations

  • Prohibition on unauthorized access, use, or disclosure of educational data

  • Obligation to protect data with the same care as their own sensitive personal information

Acceptable Use Requirements:

  • Use of data only for authorized business purposes within scope of employment

  • Proper handling, access, and processing of sensitive data

  • Prohibition on personal use of educational data

  • Restrictions on data storage, transmission, and sharing

  • No unauthorized copying or downloading of data

Code of Conduct:

  • Ethical standards and professional behavior regarding data handling

  • Integrity and honesty in all data-related activities

  • Respect for student and family privacy

  • Commitment to compliance culture

Incident Reporting Obligations:

  • Mandatory immediate reporting of suspected or actual security incidents

  • Reporting of policy violations or compliance concerns

  • Reporting of privacy breaches or unauthorized access

  • Protection and non-retaliation for good-faith reporting

  • Cooperation with incident investigations

Termination Obligations:

  • Immediate return or destruction of all confidential information upon separation

  • Continuing confidentiality obligations after employment ends

  • No retention of student data, PII, or PHI on personal devices or systems

  • Device wiping and account deactivation procedures

  • Ongoing legal liability for post-employment violations

Third-Party Subcontractor Requirements

While Impact Suite cannot directly train subcontractor employees, we ensure subprocessors maintain equivalent training standards through contractual requirements and verification.

Subprocessor Training Requirements

All subprocessors must:

  • Maintain comprehensive privacy and security training programs for their employees

  • Provide training on FERPA, COPPA, HIPAA, and applicable state laws

  • Conduct training at employee onboarding and annually thereafter

  • Track and document training completion

  • Provide evidence of training programs upon request

Verification Process:

  • Review of subprocessor training programs during vendor assessment

  • Request for training completion statistics

  • Annual certification of ongoing training compliance

  • Right to audit training records as part of vendor oversight

Major Subprocessor Examples

Amazon Web Services (AWS):

  • Comprehensive employee security training programs

  • Regular security awareness and compliance training

  • Role-based security training for cloud operations

  • Documented in AWS compliance certifications and reports

  • Evidence available through AWS compliance documentation

Ednition:

  • Training on educational data privacy requirements

  • FERPA and state law training for personnel handling student data

  • Secure data handling procedures training

  • Ongoing compliance training and updates

Training Program Continuous Improvement

Impact Suite's training program is regularly reviewed and updated to ensure it remains effective and addresses evolving threats and requirements.

Regular Program Reviews

Quarterly Reviews:

  • Assessment of training completion rates

  • Review of training effectiveness metrics

  • Analysis of security incidents for training gaps

  • Feedback collection from employees

  • Identification of needed updates or additions

Annual Comprehensive Review:

  • Full curriculum review and update

  • Incorporation of new regulatory requirements

  • Addition of emerging threats and best practices

  • Updating of examples and scenarios

  • Revision of testing and assessment methods

Updates Based On:

Regulatory Changes:

  • New privacy laws or amendments to existing laws

  • Updated guidance from regulators (ED, FTC, HHS)

  • Changes in state requirements

  • New compliance obligations

Security Incidents:

  • Lessons learned from internal incidents

  • Industry-wide breach trends

  • New attack vectors and tactics

  • Evolving threat landscape

Industry Best Practices:

  • Participation in education technology industry groups

  • Review of peer training programs

  • Adoption of new training methodologies

  • Integration of latest security awareness trends

Employee Feedback:

  • Surveys and feedback on training effectiveness

  • Requests for additional training topics

  • Suggestions for improvement

  • Learning preferences and accessibility needs

Questions About Our Training Program?

For questions about our training program, curriculum, or employee qualifications, please contact our Compliance Officer.

Primary Contact: Kris Kofoed, Compliance Officer kris.kofoed@impactsuite.com

Note: Our training program is reviewed quarterly and updated to reflect current regulatory requirements, emerging threats, and industry best practices. All training materials are documented in our Thoropass compliance platform. </artifact>

‹ Comprehensive Security Overview

Third-Party Management ›