Security Statement

Private Policy
Private Policy

Cybersecurity & Data Protection Statement

ISMINC (ISM) is committed to safeguarding the security and privacy of our clients and users — including students, educators, administrators, and families who rely on our services for education management, enrollment scheduling, and financial aid processing. We understand the sensitive nature of the information you entrust to us, and we take strong measures to protect it.

Our security practices are built around industry-leading standards and align with the Center for Internet Security (CIS) Critical Security Controls, a rigorous framework recognized globally for its comprehensive approach to cybersecurity and securing information systems and data. We have implemented a multi-layered security approach to ensure robust protection of all digital assets.

We continuously evolve our security posture to meet new challenges and provide a safe, reliable environment for learning and financial services.

This statement outlines how we protect your data, how we handle security incidents, and what steps you can take to enhance your own security when using our services.

How We Protect Your Data

We employ a multi-layered approach to security, including:

  • Cloud Security with AWS: Our platforms and applications are hosted on Amazon Web Services (AWS), which provides industry-leading security features, including advanced firewalls, intrusion detection, and automated threat monitoring. AWS’s regularly participates in 3rd party cyber security independent assessments and has current certifications and attestations, including SOC 2 Type 2, ISO27001, NIST and HIPAA.
  • Encryption: Data is encrypted both in transit and at rest using industry-standard protocols (e.g., TLS 1.2+, AES-256) to prevent unauthorized access.
  • Access Controls: We enforce strict access controls with multi-factor authentication (MFA) and role-based access frameworks, ensuring only authorized personnel access sensitive information.
  • Continuous Monitoring & Threat Detection: We use ongoing monitoring and automated threat detection to quickly identify and mitigate potential threats.
  • Regular Security Testing: We conduct periodic security reviews, vulnerability scans, and penetration testing to proactively strengthen our defenses.
  • Third-Party Risk Management: We carefully vet and monitor third-party vendors to ensure they meet our security and privacy standards, especially when handling sensitive data.

Financial & Sensitive Data Protection

We recognize that financial aid applications and student records contain especially sensitive information, including identity numbers, tax documents, and household income details. Here’s how we protect that data:

  • Data Controls: Financial and personally identifiable information (PII) storage and access has additional restrictions in accordance with role based least privilege principles.
  • Minimal Data Collection: We collect only the data necessary to provide our services.
  • Digital documents: Supporting documentation are stored in encrypted, access-controlled environments.
  • Transparent Data Usage: Clear communication about how collected data is used and protected.
  • User Control: Mechanisms for users to access, modify, and request deletion of their personal information.
Refer to ISMINC’s Privacy Policy for additional information.

How ISM Handles Security Incidents

Despite robust protections, no system is completely immune to threats. If a security incident occurs:

  • Incident Response Plan: We have a trained incident response team that immediately investigates, contains, and mitigates security incidents.
  • User Notifications: If your data is affected, we will notify you promptly, providing clear guidance on the situation and any recommended actions.
  • Regulatory Compliance: We follow all applicable U.S. and Canadian breach notification laws, including notifying regulators and impacted users as required.

Security Awareness and Training

Our employees undergo regular cybersecurity training to recognize and mitigate threats such as phishing, social engineering, and other attack vectors. Our security team regularly reviews and updates our policies, procedures and technologies. Security awareness is embedded in our culture to ensure everyone plays a role in protecting client and user data.

Compliance & Standards

Our security practices are designed to meet or exceed applicable regulations and industry standards, including NYS DFS Reg. 500, and relevant U.S. and Canadian data protection laws.

Your Role in Security

While we work hard to secure your data, cybersecurity is a shared responsibility. You can enhance your safety by:

  • Using Strong Passwords: Choose complex passwords and avoid reusing them across different platforms.
  • Enabling MFA: Where available, enable multi-factor authentication for an added layer of protection.
  • Recognizing Phishing & Scams: Be cautious of suspicious emails or messages claiming to be from ISM — we will never ask for your password or sensitive data via email.
  • Keeping Software Updated: Ensure your devices and browsers are regularly updated with the latest security patches.

If you ever receive suspicious communications or notice unusual account activity, please contact us immediately.

This security statement is subject to periodic updates. Last updated: March 5, 2025

Help Your School Thrive

ISM members receive access to exclusive, research-based strategies for every leadership division of your school. Take advantage of guidance, savings, and much more. 

Become a member