Aligned with NIST CSF, NIST SP 800-53/800-171, ISO 27000, and CIS Controls

🔒 Overview
Lyfe Course is a digital financial literacy platform designed for grades 9–12, delivered through integrations with school Learning Management Systems (LMS) and Student Information Systems (SIS) via Edlink. We are committed to protecting student and educator data by following best practices drawn from widely recognized security frameworks.

We do not directly collect student data outside of the integration, and all personal information is exchanged through secure, FERPA-compliant channels via Edlink.

🛡️ 1. Framework Alignment
✅ NIST Cybersecurity Framework (CSF v1.1)
We align with the five core functions:

Identify: Maintain inventory of data types accessed via Edlink, roles and permissions, and authorized systems.

Protect: Enforce encryption, access controls, and data minimization strategies.

Detect: Monitor authentication and authorization anomalies through integration logs.

Respond: Incident response playbook aligned with FERPA and state regulations.

Recover: Cloud-based recovery and backup strategy for instructional materials and system settings.

✅ NIST SP 800-53 / 800-171 Controls
We incorporate relevant NIST controls for educational platforms:

AC-2 (Account Management): Access rights managed by school’s existing identity provider via Edlink

SC-12/SC-13 (Cryptographic Protection): End-to-end encryption using TLS 1.2+; Edlink APIs meet or exceed these standards

CM-6 (Configuration Management): Static IPs and locked hosting environments to prevent unapproved software changes

AU-2 (Audit Events): Login and sync activity captured through Edlink dashboard

✅ ISO 27000 Series (Inspired)
While not certified, our data handling and internal policies are inspired by ISO 27001/27002 principles:

Formalized data access roles

Periodic review of risk and vendor assessments

Staff security training

Strong vendor management processes

✅ CIS Critical Security Controls
Lyfe Course aligns with applicable CIS Top 20 Controls for SaaS EdTech delivery:

CSC 1: Inventory of devices and services that access Lyfe Course admin panel

CSC 4: Hardened configurations for cloud servers and CMS

CSC 6: Centralized logging and anomaly detection through hosting and Edlink API

CSC 16: Secure coding practices in lesson development tools and platform delivery

📊 2. Data Privacy Compliance
🔁 Edlink as Secure Integration Layer
Lyfe Course does not require or store usernames, passwords, or raw student data.

All integrations are done via Edlink, which is FERPA-compliant, and allows the school to control data access.

We do not monetize, resell, or cross-share any student data received through integration.

🧾 Regulatory Compliance
Lyfe Course ensures compliance with:

FERPA: Operates as a school official with legitimate educational interest

COPPA: Does not collect data from students under 13

State Privacy Laws: SOPIPA, NY Ed Law 2-d, and others

📂 Data Minimization & Retention
No data collected beyond what is necessary for lesson tracking and school-rostered access

Data deleted upon termination of service or at school request

🔐 3. Hosting, Encryption & Access
Hosting: All content and infrastructure are hosted on secure U.S.-based cloud providers (AWS/GCP)

Encryption: TLS 1.2+ for data in transit; no sensitive data stored at rest

Access Control: Role-based access for school admins, teachers, and support staff

Audit Trails: Integration logs maintained by Edlink and platform backend

📉 4. Security Practices & Incident Response
Secure Development Lifecycle (SDLC): All code reviewed for vulnerabilities before deployment

Third-party Pen Testing: Conducted annually

Incident Response:

Immediate notification to client within 72 hours if a breach involves student data

Procedures follow NIST IR guidelines

📦 5. Vendor Management
Edlink: Primary integration vendor, maintains its own SOC 2 and FERPA compliance

Other Vendors: Limited to cloud hosting or analytics partners; all under DPA

🧠 6. Internal Training & Policy
All team members complete security awareness training

Written policies for:

Acceptable Use

Vendor Access

Data Requests

Incident Handling

✅ Summary Table
Framework/Standard Alignment Notes
NIST CSF v1.1 ✅ Full Internal and vendor processes align with CSF’s lifecycle
NIST SP 800-53 / 800-171 ✅ Partial Applied selectively to integration and data handling policies
ISO/IEC 27001/27002 ✅ Inspired Policies follow ISO best practices, though not certified
CIS Critical Security Controls ✅ Partial Controls relevant to EdTech SaaS are implemented
FERPA / COPPA / State Laws ✅ Compliant Data privacy practices follow federal and state guidelines