Product: PowerSchool Behavior Support
Vetted by
Rich
Gay,
Chief Information Security Officer
at PowerSchool Group LLC
on 2024-07-24
Security Rubric Results
- N/A
- UNMET
- PARTIAL
- MEETS
Documentation & Company Information
Data
Systems Management
Third Party Assessment
| Rubric Area | Expectations | ||
|---|---|---|---|
| Documentation & Company Information | Meets | Partially Meets | Doesn't Meet |
|
User Notes
User Notes
DOC01 - Have you undergone an external audit?
ANSWER: Has undergone an external audit and can share the audit results or certificate
User Notes:
PowerSchool’s security program is audited via ISO 27001:2022 to ensure adherence to industry standards for safeguarding data. The resulting reports from the audits are made available to customers behind NDA through our Whistic platform.
PowerSchool’s security program is audited via ISO 27001:2022 to ensure adherence to industry standards for safeguarding data. The resulting reports from the audits are made available to customers behind NDA through our Whistic platform.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC02 - Do you conform with a specific industry standard security framework? (e.g. NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)
ANSWER: Conforms with a specific industry standard and can show evidence of conformance
User Notes:
PowerSchool independently verifies its security posture and business continuity framework to internationally recognized standards for information security management system (ISMS) and has been accredited with ISO/IEC 27001:2022 certification.
PowerSchool independently verifies its security posture and business continuity framework to internationally recognized standards for information security management system (ISMS) and has been accredited with ISO/IEC 27001:2022 certification.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC03 - Does your organization have a documented data privacy policy?
ANSWER: Yes
User Notes:
Please see the following link to read our policy: https://www.powerschool.com/privacy/
Please see the following link to read our policy: https://www.powerschool.com/privacy/
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC04 - Do you have a documented, and currently implemented, employee onboarding and off boarding policy?
ANSWER: Yes
User Notes:
We have established processes to ensure effective onboarding and offboarding procedures, which include conducting background checks for new hires and ensuring that access to systems and facilities is promptly granted or revoked as needed. These procedures are designed to maintain security and compliance throughout an employee's tenure with the company.
We have established processes to ensure effective onboarding and offboarding procedures, which include conducting background checks for new hires and ensuring that access to systems and facilities is promptly granted or revoked as needed. These procedures are designed to maintain security and compliance throughout an employee's tenure with the company.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC05 - Do you have a well documented Disaster Recovery Plan (DRP) that is tested annually?
ANSWER: Yes
User Notes:
Business continuity and disaster recovery plans are developed and updated on an annual basis and include the range of disaster scenarios and steps the business will take in such event to ensure the timely resumptions of critical business operations. For security reasons, BCP plans are considered confidential and internal to PowerSchool.
Business continuity and disaster recovery plans are developed and updated on an annual basis and include the range of disaster scenarios and steps the business will take in such event to ensure the timely resumptions of critical business operations. For security reasons, BCP plans are considered confidential and internal to PowerSchool.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC06 - Do you have a documented and currently followed change management process (CMP)?
ANSWER: Has a fully documented process & process is followed and includes a change log
User Notes:
Change management procedures include the following elements:
Changes are approved prior to being deployed. The ability to approve changes are limited to specific job roles. All scheduled change requests must be submitted in advance so that there is sufficient time to review the request, determine and review potential failures, and make the decision to allow or delay the request. Requests should include provisions for reverting the changes should they introduce bugs, instability or other issues. Change Management Procedures contain provisions for handling emergency changes. The emergency change provisions should define the broad conditions under which and emergency change may be made, who can approve the change and require that it be documented once completed.
Change management procedures include the following elements:
Changes are approved prior to being deployed. The ability to approve changes are limited to specific job roles.
All scheduled change requests must be submitted in advance so that there is sufficient time to review the request, determine and review potential failures, and make the decision to allow or delay the request.
Requests should include provisions for reverting the changes should they introduce bugs, instability or other issues.
Change Management Procedures contain provisions for handling emergency changes. The emergency change provisions should define the broad conditions under which and emergency change may be made, who can approve the change and require that it be documented once completed.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC07 - Have you had a reportable breach in the last 5 years?
ANSWER: No reportable breaches in the last 5 years
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC08 - Do you have a dedicated Information Security staff or office?
ANSWER: Has a fully dedicated Information Security staff or office
User Notes:
PowerSchool Information Security is organized under and reports to PowerSchool’s Chief
Information Security Officer (CISO). The team is organized into several groups: 24x7 Security Operations Center team dedicated to monitoring infrastructure and application security and responding to security incidents. Security analyst team dedicated to managing risk and compliance within the organization. Security engineers dedicated to application and infrastructure security. Additionally, PowerSchool has security personnel in Corporate IT and Cloud Operations dedicated to the security of PowerSchool corporate and product infrastructure and tooling. Leadership of these teams are accountable to PowerSchool CISO.
PowerSchool Information Security is organized under and reports to PowerSchool’s Chief
Information Security Officer (CISO). The team is organized into several groups:
24x7 Security Operations Center team dedicated to monitoring infrastructure and
application security and responding to security incidents.
Security analyst team dedicated to managing risk and compliance within the organization.
Security engineers dedicated to application and infrastructure security.
Additionally, PowerSchool has security personnel in Corporate IT and Cloud Operations dedicated to the security of PowerSchool corporate and product infrastructure and tooling. Leadership of these teams are accountable to PowerSchool CISO.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC09 - Do you follow dev ops practices?
ANSWER: Follows devsec ops practices
User Notes:
PowerSchool has a dedicated software and system development team and practices Security and Privacy by design. Some security principles designed into the product and SDLC are: secure development is to reduce the overall risk by reducing the attack surface area. This is done by following guidelines from the Top 10 OWASP. Requirements of password complexity, Principle of Least privilege, Principle of defense in depth, etc.
PowerSchool has a dedicated software and system development team and practices Security and Privacy by design. Some security principles designed into the product and SDLC are: secure development is to reduce the overall risk by reducing the attack surface area. This is done by following guidelines from the Top 10 OWASP. Requirements of password complexity, Principle of Least privilege, Principle of defense in depth, etc.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC10 - Can you share the organization chart, mission statement, and policies for your information security unit?
ANSWER: Is willing to share some but not all of the requested information (see notes to clarify what information is shared)
User Notes:
PowerSchool's mission statement can be found in our website : https://www.powerschool.com/company/ .
Our Information Security Governance Policy is accessible to customers under Non-Disclosure Agreements (NDAs) through our Whistic platform. However, our organization chart for the Information Security Unit is considered internal and cannot be shared due to security reasons.
PowerSchool's mission statement can be found in our website : https://www.powerschool.com/company/ .
Our Information Security Governance Policy is accessible to customers under Non-Disclosure Agreements (NDAs) through our Whistic platform. However, our organization chart for the Information Security Unit is considered internal and cannot be shared due to security reasons.
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
User Notes
User Notes
DOC11 - Are information security principles designed into the product lifecycle?
ANSWER: Information security principles are designed into the product lifecycle and tested against security requirements at each functional code revision
User Notes:
PowerSchool implemented and practices Security and Privacy by design. Some security principles designed into the product and SDLC are: secure development is to reduce the overall risk by reducing the attack surface area. This is done by following guidelines from the Top 10 OWASP. Requirements of password complexity, Principle of Least privilege, Principle of defense in depth, etc.
PowerSchool implemented and practices Security and Privacy by design. Some security principles designed into the product and SDLC are: secure development is to reduce the overall risk by reducing the attack surface area. This is done by following guidelines from the Top 10 OWASP. Requirements of password complexity, Principle of Least privilege, Principle of defense in depth, etc.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC12 - Do you have a documented information security policy?
ANSWER: Yes
User Notes:
The PowerSchool Information Security Governance Policy is made available to customers behind NDA through our Whistic platform.
The PowerSchool Information Security Governance Policy is made available to customers behind NDA through our Whistic platform.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC13 - Do you have a formal incident response plan?
ANSWER: Yes and regularly exercised and people are regularly trained
User Notes:
Identifying and responding to security incidents is an important part of our security operations. The Incident Management and Communication Plan defines detailed roles and responsibilities that are initiated when actual or potential security incidents are identified. This plan follows industry best practices and is modeled after the PICERL (Preparation, Identification, Containment, Eradication, Remediation and Lessons Learned) method to provide quick response, effective isolation and containment, thorough root cause analysis, and appropriate remediation.
Identifying and responding to security incidents is an important part of our security operations. The Incident Management and Communication Plan defines detailed roles and responsibilities that are initiated when actual or potential security incidents are identified. This plan follows industry best practices and is modeled after the PICERL (Preparation, Identification, Containment, Eradication, Remediation and Lessons Learned) method to provide quick response, effective isolation and containment, thorough root cause analysis, and appropriate remediation.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC14 - Do you carry cyber-risk insurance?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC15 - Do you have either an internal incident response team or retain an external team?
ANSWER: Yes, both internal and external
User Notes:
PowerSchool has an internal incident response team and maintains a retainer for external incident response support when needed.
PowerSchool has an internal incident response team and maintains a retainer for external incident response support when needed.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC16 - What is your capability to respond to incidents?
ANSWER: Yes, 24x7x365
User Notes:
PowerSchool maintains around-the-clock monitoring of security incidents. Our dedicated Security Operations Center (SOC) team ensures continuous surveillance and timely response.
PowerSchool maintains around-the-clock monitoring of security incidents. Our dedicated Security Operations Center (SOC) team ensures continuous surveillance and timely response.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Data | Meets | Partially Meets | Doesn't Meet |
|
User Notes
User Notes
DA01 - Does the environment provide for dedicated single-tenant capabilities?
ANSWER: No
User Notes:
Shared Environment / Multi-Tenant
Shared Environment / Multi-Tenant
|
Unselected Option: | Unselected Option: | Answer Doesn't Meet Expectations |
|
User Notes
User Notes
DA02 - Is data encrypted in transport? (e.g. system-to-client, system-to-system)
ANSWER: Yes
User Notes:
TLS 1.2
TLS 1.2
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DA03 - Is sensitive data encrypted, using secure protocols/algorithms, in storage? (e.g. disk encryption, at-rest, files, and within a running database)
ANSWER: All data encrypted at rest
User Notes:
We implement standard AWS RDS encryption.
We implement standard AWS RDS encryption.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DA04 - Do you have a media handling process, that is documented and currently implemented, including end-of-life, repurposing, and data sanitization procedures?
ANSWER: Yes, has all of the above
User Notes:
PowerSchool implements comprehensive security measures throughout the entire data life cycle as part of our ISO 27001:2022 compliance and security framework. These measures apply to the physical and logical data in PowerSchool chain of custody. Included are secure processes for clearing, purging, and destroying of customer data to ensure it is sanitized and irretrievable.
PowerSchool implements comprehensive security measures throughout the entire data life cycle as part of our ISO 27001:2022 compliance and security framework. These measures apply to the physical and logical data in PowerSchool chain of custody. Included are secure processes for clearing, purging, and destroying of customer data to ensure it is sanitized and irretrievable.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DA05 - Will data regulated by PCI DSS reside in the vended product?
ANSWER: Not Applicable
User Notes:
PCI DSS is not applicable to us as we do not store credit card information.
PCI DSS is not applicable to us as we do not store credit card information.
|
NOT APPLICABLE | ||
|
User Notes
User Notes
DA06 - Are you able to accommodate storing each institution's data within their desired geographic region?
ANSWER: Yes
User Notes:
Data is stored and processed in Microsoft Azure cloud computing environments aligned with regulatory geographic requirements.
Data is stored and processed in Microsoft Azure cloud computing environments aligned with regulatory geographic requirements.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DA07 - Does the hosting provider have a SOC 2 Type 2 report available?
ANSWER: Has SOC 2
User Notes:
Behavior Support utilizes Microsoft Azure for cloud hosting services, which undergoes the SOC 2 Type 2 Audit. Please contact Microsoft directly for any necessary reports, as the Azure SOC 2 report is available upon signing an NDA directly with Azure.
Behavior Support utilizes Microsoft Azure for cloud hosting services, which undergoes the SOC 2 Type 2 Audit. Please contact Microsoft directly for any necessary reports, as the Azure SOC 2 report is available upon signing an NDA directly with Azure.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Systems Management | Meets | Partially Meets | Doesn't Meet |
|
User Notes
User Notes
SM01 - Do you have a systems management and configuration strategy that encompasses servers, appliances, cloud services, applications, and mobile devices (company and employee owned)?
ANSWER: Yes
User Notes:
PowerSchool has a comprehensive systems management and configuration strategy that covers servers, appliances, cloud services, applications, and both company and employee-owned mobile devices. We maintain standard hardened configurations for servers, appliances, and mobile devices. Our PowerSchool Hosting solution ensures that all systems undergo extensive hardening aligned with our security framework, including disabling unnecessary services, user accounts, and ports.
For company-owned mobile devices, PowerSchool enforces device encryption. We centrally manage these systems to provide tracking and compliance reports
PowerSchool has a comprehensive systems management and configuration strategy that covers servers, appliances, cloud services, applications, and both company and employee-owned mobile devices. We maintain standard hardened configurations for servers, appliances, and mobile devices. Our PowerSchool Hosting solution ensures that all systems undergo extensive hardening aligned with our security framework, including disabling unnecessary services, user accounts, and ports.
For company-owned mobile devices, PowerSchool enforces device encryption. We centrally manage these systems to provide tracking and compliance reports
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM02 - Will the institution be notified of major changes to your environment that could impact the institution's security posture?
ANSWER: Yes, prior to the change
User Notes:
PowerSchool communicates application and system changes to customers through our Community portal. The schedule of regular maintenance windows, notification of emergency changes when need, and details of changes and release notes are published to customers.
PowerSchool communicates application and system changes to customers through our Community portal. The schedule of regular maintenance windows, notification of emergency changes when need, and details of changes and release notes are published to customers.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM03 - Are you utilizing a stateful packet inspection (SPI) firewall?
ANSWER: Yes, and alerts are actioned
User Notes:
All alerts are monitored by our SOC 24x7x365. We have a documented policy for firewall change requests. All changes to firewalls go through change management processes prior to execution.
All alerts are monitored by our SOC 24x7x365. We have a documented policy for firewall change requests. All changes to firewalls go through change management processes prior to execution.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM04 - Do you use an automated IDS/IPS system to monitor for intrusions?
ANSWER: Yes
User Notes:
PowerSchool uses Intrusion Detection System (IDS) to analyze network events and create alerts for anomalous activity. A SIEM is used to capture and correlate events and alerts from those systems as well as other sources. We also use uses best-of-breed Endpoint Detection and Response (EDR) software to identify and respond to security threats and unusual system activity. PowerSchool's Security Operations Center monitors and responds to alerts from the SIEM 24/7/365.
PowerSchool uses Intrusion Detection System (IDS) to analyze network events and create alerts for anomalous activity. A SIEM is used to capture and correlate events and alerts from those systems as well as other sources. We also use uses best-of-breed Endpoint Detection and Response (EDR) software to identify and respond to security threats and unusual system activity. PowerSchool's Security Operations Center monitors and responds to alerts from the SIEM 24/7/365.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM05 - Do you require direct connectivity to the Institution's network for support/administration or access into any existing systems for integration purposes?
ANSWER: Not Applicable
User Notes:
We do not require direct connectivity to the Institution's network
We do not require direct connectivity to the Institution's network
|
NOT APPLICABLE | ||
|
User Notes
User Notes
SM06 - Do you support access control (e.g. RBAC, ABAC, PBAC) for end-users?
ANSWER: Provides separation of at a minimum students, teachers / faculty and teaching assistants
User Notes:
User roles include: KB Admin (Classic & Next), Teacher (Next) and Student/Parent (Student Parent portal)
User roles include: KB Admin (Classic & Next), Teacher (Next) and Student/Parent (Student Parent portal)
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM07 - Do you support access control (RBAC, ABAC, or PBAC) for system administrators?
ANSWER: Yes, but not customizable for specialized admin types
User Notes:
We have 2 different customer side administrators. School_admin and kb_admin
We have 2 different customer side administrators. School_admin and kb_admin
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
User Notes
User Notes
SM08 - Do you control and audit employee access to customer data?
ANSWER: Controlled, but not audited
User Notes:
We rigorously control access to customer data using Role-Based Access Control (RBAC) and Data Loss Prevention (DLP) solutions. RBAC ensures that access to customer data is strictly based on job responsibilities. , minimizing the risk of data exposure and misuse. Meanwhile, DLP solutions enable continuous monitoring of data protection policies, ensuring that sensitive customer information remains secure and compliant with regulatory requirements. Together, these measures form a robust framework that safeguards customer data against unauthorized access and potential breaches.
We rigorously control access to customer data using Role-Based Access Control (RBAC) and Data Loss Prevention (DLP) solutions. RBAC ensures that access to customer data is strictly based on job responsibilities. , minimizing the risk of data exposure and misuse. Meanwhile, DLP solutions enable continuous monitoring of data protection policies, ensuring that sensitive customer information remains secure and compliant with regulatory requirements. Together, these measures form a robust framework that safeguards customer data against unauthorized access and potential breaches.
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
User Notes
User Notes
SM09 - Does the system provide data input validation?
ANSWER: Yes, follows OWASP guidelines
User Notes:
We leverage the Sanitize library in Node.js to sanitize user input, effectively mitigating risks such as SQL injection and cross-site scripting (XSS) attacks.
We leverage the Sanitize library in Node.js to sanitize user input, effectively mitigating risks such as SQL injection and cross-site scripting (XSS) attacks.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM10 - Are you using a web application firewall (WAF)?
ANSWER: Utilizes a web application firewall (WAF) and alerts are actioned
User Notes:
PowerSchool utilizes best-in-class web application firewall (WAF) to protect against application layer attacks including, but not limited to, DDoS, cross-site scripting (XSS) and SQL injection.
PowerSchool utilizes best-in-class web application firewall (WAF) to protect against application layer attacks including, but not limited to, DDoS, cross-site scripting (XSS) and SQL injection.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM11 - Do you subject your code to static code analysis and/or static application security testing prior to release?
ANSWER: Yes
User Notes:
We subject our application to static code analysis, dynamic analysis, and software composition analysis (SCA) testing prior to release. The PowerSchool Product Development team conducts scans on all PowerSchool application software to identify potential security vulnerabilities, including those outlined by the Open Web Application Security Project (OWASP). Issues identified are promptly remediated to ensure a clean scan before release.
We subject our application to static code analysis, dynamic analysis, and software composition analysis (SCA) testing prior to release. The PowerSchool Product Development team conducts scans on all PowerSchool application software to identify potential security vulnerabilities, including those outlined by the Open Web Application Security Project (OWASP). Issues identified are promptly remediated to ensure a clean scan before release.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM12 - Do you enforce MFA for vendor administrative access?
ANSWER: Uses MFA
User Notes:
MFA is enforced across internal networks where applicable throughout the organization
MFA is enforced across internal networks where applicable throughout the organization
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM13 - Does your solution support single sign-on (SSO) protocols for user and administrator authentication? (e.g. InCommon)
ANSWER: Does provide a institution approved SSO for institutional users and administrators
User Notes:
Through Clever, PowerSchool SIS, OKTA
Through Clever, PowerSchool SIS, OKTA
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM14 - Are audit logs available to the institution that include AT LEAST all of the following; login, logout, actions performed, timestamp, and source IP address?
ANSWER: Audit logs include all of the following; login, logout, actions performed, and source IP address only by formal request
User Notes:
Access logs are managed by CloudTrail. However, the audit log for logins is maintained in the RDS database and can only be accessed by PowerSchool employees
Access logs are managed by CloudTrail. However, the audit log for logins is maintained in the RDS database and can only be accessed by PowerSchool employees
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
User Notes
User Notes
SM15 - Can your system auto provision accounts through SSO?
ANSWER: No
User Notes:
N/A
N/A
|
Unselected Option: | Unselected Option: | Answer Doesn't Meet Expectations |
|
User Notes
User Notes
SM16 - Do you support differentiation between email address and user identifier?
ANSWER: Yes, and enforces it
User Notes:
PowerSchool has implemented edit checks to distinguish between an email address and other user identifiers based on the input context. While this differentiation may not be uniformly applied across all systems, edit checks are enforced where applicable.
PowerSchool has implemented edit checks to distinguish between an email address and other user identifiers based on the input context. While this differentiation may not be uniformly applied across all systems, edit checks are enforced where applicable.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Third Party Assessment | Meets | Partially Meets | Doesn't Meet |
|
User Notes
User Notes
TP01 - Will institution data be shared with or hosted by any third parties?
ANSWER: Shared and/or hosted only to provide service
User Notes:
Institution data is shared only with vendors and hosting providers who provide specific services. PowerSchool conducts annual security reviews of all vendors and hosting providers. Our management also obtains and reviews attestation reports from vendors and third parties to assess the effectiveness of controls within their environments.
Institution data is shared only with vendors and hosting providers who provide specific services. PowerSchool conducts annual security reviews of all vendors and hosting providers. Our management also obtains and reviews attestation reports from vendors and third parties to assess the effectiveness of controls within their environments.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
TP02 - Do you perform security assessments provided of third party companies with which you share data? (i.e. hosting providers, cloud services, PaaS, IaaS, SaaS, etc.)
ANSWER: Yes
User Notes:
Institution data is shared only with vendors and hosting providers who provide specific services. PowerSchool conducts annual security reviews of all vendors and hosting providers. Our management also obtains and reviews attestation reports from vendors and third parties to assess the effectiveness of controls within their environments.
Institution data is shared only with vendors and hosting providers who provide specific services. PowerSchool conducts annual security reviews of all vendors and hosting providers. Our management also obtains and reviews attestation reports from vendors and third parties to assess the effectiveness of controls within their environments.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
TP03 - Have your systems and applications had a third party security assessment completed in the last year?
ANSWER: Yes, has a 3rd party assessment and can provide high level results and gives organization's name
User Notes:
All PowerSchool products undergo annual external penetration testing conducted by third-party firm. We conduct regular vulnerability assessments as part of our security practices. Additionally, PowerSchool’s security program is audited via ISO 27001:2022 to ensure adherence to industry standards for safeguarding data. The resulting reports from the audits are made available to customers behind NDA through our Whistic platform.
All PowerSchool products undergo annual external penetration testing conducted by third-party firm. We conduct regular vulnerability assessments as part of our security practices. Additionally, PowerSchool’s security program is audited via ISO 27001:2022 to ensure adherence to industry standards for safeguarding data. The resulting reports from the audits are made available to customers behind NDA through our Whistic platform.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
Vetting Context
Policies Cited
The following urls were cited as a basis for this information.
- Privacy Policy https://www.powerschool.com/privacy
- Security Practices https://www.powerschool.com/security/
Geographical Context
(Laws and regulations can vary across regions)
California
United States
Regulatory Compliance
The information below provides insight into compliance with various regulatory policies.
This application can be used by children under the age of 13.
Email Support@1edtech.org
The views and opinions expressed in this information are those of the authors and do not necessarily reflect the official policy or position of 1EdTech. The information provided is intended to surface trends about the policies and procedures of systems leveraged by the educational community. It should not be considered legal advice.
Disclaimer:
The 1EdTech TrustEd Apps Security Practices Rubric provides a
self-assessment tool for a supplier to evaluate their product,
according to the
1EdTech TrustEd Apps Security Practices Rubric Specification v1.0.
This information is to be a starting point for institutional
security review processes and is not intended to serve as a full
security review. Find out more
here.
© Copyright 2024 1EdTech Global Learning Consortium Inc. All Rights Reserved.
App Vetting Rubric Version: 2