Information security policy and procedures

This document defines Learning Cub’s information security policy, procedures, and governance structure. It serves as our organization’s documented information security standards in accordance with NIST 800-53 and ISO/IEC 27001 frameworks.

Purpose and scope

This policy establishes the requirements for protecting the confidentiality, integrity, and availability of information assets managed by Learning Cub. It applies to all employees, contractors, and third-party service providers who access, process, or store data on behalf of Learning Cub and its customers.

The scope includes:

• All production and quality assurance systems
• Customer data stored in the Learning Management System (LMS)
• Internal business systems and communications
• Hosting infrastructure provided by BuyVM.net (FranTech)

Foundational frameworks

Our information security program is aligned with the following industry frameworks:

• NIST 800-53: We implement security controls from the NIST Special Publication 800-53 framework, covering access control, audit and accountability, incident response, risk assessment, and system and communications protection.
• ISO/IEC 27001: Our information security management practices follow ISO/IEC 27001 standards for establishing, implementing, maintaining, and continually improving an information security management system.
• SOC 2: Our platform delivery follows SOC 2 Type 2 controls. Moodle US has achieved SOC 2 Type 2 and SOC 3 compliance as verified by independent audit.
• PCI DSS: Customer payment information is handled in compliance with PCI Data Security Standards, verified through quarterly third-party audits.

Information security governance

Executive oversight

Executive oversight for cybersecurity is maintained at the organizational level. The Vice President and the Web Developer hold primary responsibility for the information security program.

Roles and responsibilities

• Vice President: Approves information security policies, allocates resources for security initiatives, and oversees compliance with regulatory requirements.
• Web Developer: Implements and maintains technical security controls, monitors systems for security events, and manages vulnerability remediation.
• Customer administrators: Each customer organization designates their own administrators who manage user access reviews and role assignments within their instance.

Access control policy

Authentication

• All users are required to have unique user accounts on systems that store, access, or transmit customer data.
• Strong password policies are enforced. Passwords must be at least 8 characters and include at least one digit, one lowercase letter, one uppercase letter, and one non-alphanumeric character.
• Single Sign-On (SSO) is supported through SAML, OAuth, and OpenID Connect protocols.
• Additional authentication methods include LDAP and Moodle internal authentication.

Authorization

• User accounts are assigned based on the principle of least privilege using Moodle’s role-based access control (RBAC) system.
• Roles include learner, teacher, administrator, and course creator, each with defined privileges.
• Permissions are configurable at the system, course, and activity level.
• Multiple roles can be assigned to a single user across different courses.
• Access to content can be restricted based on user role, location, IP address range, and custom profile fields.

Account lifecycle management

• Login credentials are deactivated upon end of employment or contract service. This is managed through Moodle’s role-based access system to ensure that user accounts are promptly deactivated and access is revoked.
• User access reviews are performed regularly for internal team accounts.
• Customer administrators manage access reviews for their own users according to their organizational requirements.

Remote access

Remote access to server environments is not permitted. Access is only available through the application interface.

Data classification and handling

Data categories

• Customer data: Learner records, course completions, assessment scores, transcripts, and certificates. Handled with the highest level of protection.
• Operational data: System configuration, course content, and administrative records.
• Public data: Marketing materials, course descriptions, and feature documentation.

Data residency

All customer data is stored within the United States, in data centers located in Las Vegas and New York operated by BuyVM.net (FranTech). No data is stored offshore.

Data retention

• Course and learner data backups are stored for 10 years.
• Daily SQL database backups are stored on the server for seven days.
• Data can be exported via SFTP to customer servers for customer-managed retention.
• Moodle provides configurable data retention settings to meet each customer’s organizational policies.

Encryption standards

• Data in transit: All data transmitted between users and the platform is encrypted using SSL/TLS protocols.
• Data at rest: Full Disk Encryption (FDE) is applied to all hosting infrastructure provided by BuyVM.net.
• Private networking: Internal data transfers between system components use private networking for secure communication.

Hosting and infrastructure security

Hosting environment

Customer data is hosted on dedicated, isolated virtual machines that are separate from any other client’s data. These virtual machines run on shared virtualization infrastructure managed by BuyVM.net (FranTech).

Physical security

Data centers operated by FranTech maintain:

• 24/7 on-site security
• Multi-layer access controls
• Redundant power supplies and cooling systems

Network security

• DDoS protection is provided at the infrastructure level.
• The hosting provider is multi-homed across several global regions for redundancy.

Vulnerability management

Vulnerability scanning

Periodic vulnerability scans are performed on information technology systems, networks, and supporting security systems as part of the quarterly PCI audit conducted by a third party.

Penetration testing

Penetration testing of internal and external data environments is conducted quarterly as part of the PCI audit process, performed by a third party.

Software security

• A formal Secure Software Development Lifecycle (SDLC) is in place that includes application security requirements.
• Security reviews and regression testing are performed on Moodle’s application source code.
• Regular security audits and automated regression tests are conducted to ensure security and functionality.

Backup and disaster recovery

Backup procedures

• Daily SQL database backups are performed and stored on the server for seven days.
• Data can also be exported via SFTP to customer servers for extended retention.
• Backups are tested specifically for restore scenarios.
• Course data backups are stored for 10 years in a secure facility with multi-layer access controls.

Disaster recovery plan

Our disaster recovery plans include:

• Maintaining separate production and quality assurance servers, provisioned for emergency use.
• Using virtualization snapshots to mitigate data loss.
• Testing specifically for backup restore scenarios.

Recovery Time Objective

Disaster recovery and business continuity plans are tested annually using simulated scenarios. Plans are updated based on results and organizational changes.

Infrastructure resilience

Our main infrastructure vendor, FranTech, is multi-homed across several global regions and has a demonstrated record of recovering from incidents including DDoS attacks, core router failures, and power supply failures. Over the past year, service uptime has been maintained at 99.9%.

Incident response

Incident response plan

A cybersecurity incident response plan is maintained and tested annually through simulated exercises. The plan is updated regularly based on lessons learned, emerging threats, and organizational changes.

Breach history

No security breaches or data breach incidents have occurred.

Personnel security

Cybersecurity training

Cybersecurity training is provided to the workforce through the Coursera course “Introduction to Cybersecurity Fundamentals.” Training is delivered periodically as part of ongoing professional development. Effectiveness is evaluated through the course exam.

Third-party personnel

All work is handled in-house, except for the use of the Moodle platform. The Moodle team ensures their staff undergo thorough vetting processes following strict security and privacy protocols.

Credential deactivation

Deactivation of login credentials is verified upon end of employment or contract service, managed through Moodle’s role-based access system.

Third-party and vendor management

Outsourced functions

• PCI audits: Performed by a third party on a quarterly basis.
• All other cybersecurity functions: Handled in-house.

Key vendors

• BuyVM.net (FranTech): Cloud hosting and data center services with data centers in the United States.
• Moodle: Learning Management System platform. Moodle US has achieved SOC 2 Type 2 and SOC 3 compliance. Moodle relies on its hosting providers for ISO/IEC 27001, SOC 2, and GDPR compliance certifications.

Regulatory compliance

Our organization adheres to applicable regulatory requirements:

• GDPR: Compliance with the General Data Protection Regulation for protecting personal data.
• HIPAA: Data protection policies address requirements related to Protected Health Information where applicable.
• FERPA: Compliance with the Family Educational Rights and Privacy Act for education records.
• FedRAMP: Platform capabilities are aligned with Federal Risk and Authorization Management Program requirements.
• Section 508: Accessibility compliance for federal agencies.

Our proposed service is not considered a medical device subject to FDA regulation.

Audit and logging

The platform generates audit trails of access and use through Moodle’s auditing and logging features. These audit logs capture user activity, system events, and administrative actions to support compliance monitoring and incident investigation.

Change management

A formal change management process based on ITIL (Information Technology Infrastructure Library) is followed. Changes to the production environment are tested, reviewed, approved, and monitored to ensure proper implementation and minimize risks.

Policy review and updates

This information security policy is reviewed and updated annually, or as needed in response to significant changes in the threat landscape, regulatory requirements, or organizational structure. All updates are approved by the Vice President.