Children’s Information: We only collect personal information through the Services from a child under 13 where that Student’s school, school district, and/or teacher has agreed (via the terms described in the Terms of Service) to obtain parental consent for that child to use the Services and disclose personal information to us for the use and benefit of the learning environment. If we learn that we have collected personal information from a child under 13 without parental consent being obtained by the child’s school, school district, and/or teacher, we will delete that information. If you believe that a child under 13 may have provided us with personal information in violation of this paragraph, please contact us at firstname.lastname@example.org.
Information We Collect
Information You Provide To Us
We receive and store any information you knowingly enter through the Services. This information may include, but is not limited to, the following:
- Registration information, including your name, username, email address, profile picture, and school affiliation
- The grade level and names of classes that you teach or attend
- Any documents that you upload, create, or complete using the Services, such as items you add to your bookshelf, as well as notes, flags, and assessments (including tests, quizzes, assignments, and papers) that you create or complete
- Information that Educators provide about Students, including evaluations, grades and test results, attendance, notes and feedback, and any other information provided by the Educator about a Student
- Information about parents/guardians provided by Educators or Students, including name, relationship to Students, email address, and phone number
- Any other information uploaded to or entered into the Services
- If you use our referral service to tell someone about Otus, we will collect that person’s name and email address
Information Collected Automatically
We receive and store certain types of information whenever you use our Services. When you access or use an Otus mobile application, navigate to our websites or use the browser provided in an Otus mobile application, we automatically receive and record information on our server logs. Information includes: your IP address, cookie information, and the page you requested. We also record the details of your activity and the number and frequency of visitors to our services, including your location when accessing the services. For example, we receive and store information about whether you access the Services from a school, home, or other location. We use various technologies to collect web browsing information, and this may include sending cookies to your computer or tablet. Cookies are small data files stored on your hard drive or in device memory that help us to improve our services and your experience, understand which areas and features of our Services are popular, and count visits. We may also collect information using web beacons (also known as “tracking pixels”). Web beacons are electronic images that may be used in our services or emails and that help deliver cookies, count visits, understand usage and campaign effectiveness, and determine whether an email has been opened and acted upon. For more information about cookies, and how to disable them, please see “Your Choices” below. When you download an Otus mob
ile application, we automatically collect information about the type of device, name and version of the operating system, name and version of the application, the unique device ID, as well as actions performed by the user in accessing the application. We also use analytics software to allow us to better understand the functionality of our application and services. This software may record information such as how often you use Otus, what you do using the services, and performance data.
How We Use Information
We use the information we collect to provide, maintain, personalize, and improve our Services; to respond to your comments, questions, and requests; to provide customer services, including technical support; and for any other purpose for which the information was collected. If you are an Educator, we may use the information we collect to send you marketing and product communications to the email address you provide or by other means. If you are a Student, we may use your email address to send you product updates, such as information about new features or functionalities. We use automatically-collected information to enable us to figure out how often users use parts of the services, so that we can make the services appealing and relevant to as many users as possible, and customize and improve those services.
How We Share Information
We may share information with vendors, consultants, and other service providers who access such information to carry out work on our behalf.
In the event any merger, sale of company assets, financing or acquisition of all or a portion of our business to another company, user information may be transferred to or acquired by a third party.
Protection of Otus and Others
We may release personal information if we believe disclosure is in accordance with any applicable law, regulation or legal process, or as otherwise required by any applicable law, rule or regulation. It may also be released if we believe your actions are inconsistent with our user agreements or policies, or to protect the rights, property and safety of Otus users or others.
How We Protect Information
Otus takes reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction. Your Otus account uses the same login as your Google or Google for Education account, and is protected by a password for your privacy and security. You may help protect against unauthorized access to your account and personal information or your Student’s personal information by selecting and protecting the password associated with the account appropriately.
You may update, correct or delete personal information about you at any time by editing your profile information. Changes to your Google account information must be made through Google; Otus has no ability to make modifications to your Google account information. Note that if the Google account tied to your Otus account is deactivated, or if you revoke Otus’s access rights within your Google account, you will not be able to access your Otus account or any of the content stored with Otus. We may retain cached or archived copies of personal information about you and content stored with Otus only as needed for educational purposes by an authorized user. This information is then deleted once the data is no longer needed for the student within the context of school.
If you are the parent or guardian of a child under 13 and would like to request that personal information regarding your child be updated or deleted, or if you’d like to refuse further contact of your child by the Services, please contact us at email@example.com. We will respond to a request made pursuant to this section within 30 days of our receipt of such request.
Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies.
Incident Response Policy
This Policy governs Otus LLC’s detection, response, documentation, and reporting of Incidents affecting Information Resources. Incidents include, but are not limited to, unauthorized access, theft, intrusion, misuse of data, other activities contrary to Otus LLC’s Acceptable Use Policy, denial of service, corruption of software, computer, and electronic communication based events.
This Policy is established to protect the integrity, availability and confidentiality of information, prevent loss of service, and comply with legal requirements. This Policy establishes an Incident Response Team and the process for identifying and reporting an Incident, initial investigation, risk classification, documentation and communication of Incidents, responder procedures, Incident reporting, and training.
This Policy applies to all individuals who manage and are responsible for Otus LLC’s Information Resources.
The Chief Security Officer (CSO) shall ensure:
Procedures and processes identify and respond to suspected or known Incidents, mitigate them to the extent practicable, measure harmful effects of known Incidents, document Incidents and their outcomes, collect evidence, and provide appropriate reporting to Otus LLC management.
Incident response procedures list examples of security Incidents and the appropriate responses for each.
An Incident Response Team has been assembled to receive notice of Incidents and manage the process of investigating, responding to, and reporting of the Incident.
Establishment of an Incident Response Team
The CSO is responsible for Incident detection and remediation of Information Resources. The CSO will consult key representatives of Otus LLC’s IT, Human Resources, Legal, Internal Audit, or other departments as warranted to establish an Incident Response Team appropriate to respond to a specific Incident.
As necessary, the CSO and Incident Response Team shall assign Staff to manage specific security Incidents:
Plan. An Incident Response Plan (Plan) shall be developed. The Plan shall be reviewed and approved by the Board of Directors or a committee that reports to the Board of Directors. The Plan shall document applicable state and federal laws, regulations, and standards to ensure response procedures meet appropriate requirements. The Plan shall be tested at least annually to ensure it is sufficient and effective. The Plan shall be updated as a result of such tests.
Initial Investigations. The Plan shall provide a quick and orderly response to Incidents. The Plan will identify steps to be followed for the initial reporting of events and subsequent investigations. Where appropriate, Staff will be on call to handle Incidents reported outside of standard business hours.
Risk Classification. The initial investigations will identify the Incident severity level and classify the risk to the organization according to the guidelines contained in the Risk Assessment Classification section of this Policy.
Documentation and Communications. The initial investigations staff will inform the CSO of the Incident and the preliminary risk classification. The CSO shall follow the guidelines identified in the Documentation and Communication of Incidents section of this Policy. Responder Procedures. The CSO shall identify the appropriate procedures and Staff to address the specific Incident. Responders will attempt to identify as much information about the event so as to limit additional adverse effects. Responders and appropriate Staff will evaluate and recommend to the CSO appropriate actions to be taken.
Special Situations/Exceptions. The CSO shall identify and document procedures that address special situations and exceptions. Incident Reporting. The CSO shall keep management informed on the status of current Incidents. A post Incident report shall be created.
Training and Testing. The CSO shall ensure Staff have the proper training to fulfill their Incident response roles and responsibilities.
Identifying and Reporting Incidents
The Incident Response Team shall work with Otus LLC departments to establish proactive monitoring systems that can identify potential Incidents. Examples of incidents include, but are not limited to, ransomware, malware, data breach, Denial of Service (DoS), insider attacks, etc. In addition, any Otus LLC Staff may refer an activity or concern to the IT Operations Center.
Once an Incident has been reported, the Incident Response Team will log and track Incidents and, working with others as appropriate, take steps to investigate, escalate, remediate, refer to others, or otherwise address as outlined in the remainder of this Policy.
In addition to reporting Incidents, Staff shall report to the appropriate management any weaknesses or deficiencies in Information Resources.
Risk Assessment Classification
The CSO will establish an internal risk assessment classification to focus the response to each Incident, and to establish the appropriate team participants to respond. This classification matrix will correspond to an “escalation” of contacts and will indicate which personnel at Otus LLC to involve and which procedure would be applicable for each class of Incident.
In general, Incidents are assigned to one of the following classifications:
Unauthorized access – a person, process, or program is granted unauthorized physical or logical access to Information Resources.
This classification includes a breach of sensitive data and should be reported to CSO as soon as the Incident is detected.
Denial of service (DoS) – an attack that overloads an Information Resource to prevent it from performing its normal function. Distributed Denial of Service (DDos) attacks are large-scale attacks from multiple sources.
Malicious software (malware) – infects an operating system or application and prevents the software from performing its intended operation. In addition, the malware may delete software and data, compromise the integrity of information, and disclose sensitive information to unauthorized personnel.
Improper use – a person, process, or program that violates acceptable use policies. Examples include a disgruntled Staff member who ignores policies and procedures, a network administrator who circumvents log files, and a Staff member who extracts customer lists. Scans/probes/attempted access – a person, process, or program that attempts to identify vulnerabilities through the use of vulnerability scanning, network mapping, and penetration testing tools.
Other – this classification includes other types of Incidents not described above. For example, unconfirmed Incidents, potentially malicious events, or other activity that warrants additional review.
The CSO, working with appropriate Otus LLC staff, shall estimate the financial cost to respond to an incident for each of the above classifications. For example, the cost to respond to unauthorized access to personally identifiable or other Sensitive Information. Such information shall be conveyed to the Otus LLC Board of Directors or a committee that reports to the Board of Directors.
Documentation and Communication of Incidents
The CSO will ensure that Incidents are appropriately logged and archived. Any Incidents involving sensitive information will be identified so the appropriate security procedures can be followed. The CSO will provide current status and reports to Otus LLC executive management.
Wherever possible, documentation of such Incidents will cross-reference other event databases such as IT trouble ticket and network monitoring systems. Any Incidents involving systems that are tracked in the inventory database will be cross referenced in that database with the CSO Incident tracking log.
The CSO or Incident Response Team representatives are responsible for communicating the Incident to appropriate personnel and maintaining contact, for the purpose of update and instruction, for the duration of the Incident.
The CSO shall maintain standard responder procedures for the response and investigation of each Incident, as well as securing the custody of any evidence obtained in the investigation. The application of these procedures shall be governed by the classification described above as well as an Incident Response Plan. Staff shall refer to the Incident Response Plan for specific information on how to manage and respond to Incidents. The procedures will specify the location, method of custody for each Incident, and if custody of evidence is required.
Any personally owned devices, such as PDAs, phones, wireless devices or other electronic transmitters which have been used to store sensitive information and are determined to contribute to an Incident, may be subject to seizure and retention by Otus LLC Staff. By using personally owned devices within the Otus LLC network for business purposes, Staff are subject to Otus LLC policies restricting their use.
In the event a follow-up action concerning a person or organization after an information security Incident requires legal action proper forensic procedures including chain of custody shall be required for collection, retention, and presentation of evidence to support potential legal action subject to the relevant jurisdiction. Refer to the Data Retention Policy for more information in this area.
Cloud computing controls shall be put in place to ensure privacy and automated Tenant breach formal notification upon the compromise of a Tenant’s system(s).
The CSO shall provide appropriate reporting to Otus LLC executive management. Such reporting to include, but is not limited to, updates to inform management of relevant details, risks, current status and progress, tasks to be completed, and expected outcomes and dates. Post Incident reporting shall include appropriate details, mitigation actions and timeframes, and lessons learned.
In addition to reporting of specific incidents, the CSO shall provide annual reporting to company management that summarizing incidents reported and actions taken. The annual report shall identify numbers and types of incidents, impact, costs incurred, lessons learned, and other relevant factors.
Incident reports and supporting documents shall be retained in accordance with Otus LLC’s Data Retention Policy.
The CSO is responsible for ensuring that Incident response team members and related Staff have the proper training and acknowledgement of their duties and responsibilities and appropriate Incident response policies, procedures, plans and related documents. No less than annually, awareness and refresher training shall be provided to maintain Incident response readiness and competency. The CSO may also arrange Incident response exercises to test and evaluate Staff, related procedures, and the ability to respond to Incidents in a timely and effective manner.
Any Staff found to have violated this policy may be subject to disciplinary action, up to and including termination.
This policy is to be distributed to the Chief Security Officer, Company Management, Director of IT, and Security Staff.
COBIT EDM01.01, APO12.02, APO12.07, APO13.07, DSS03.02, DSS05.02, MEA03.01 GDPR Article 33, 34
HIPAA 164.308(a)(6)(ii), 164.314(a)(2)(i), ARRA 13402
ISO 27001:2013 A.16
NIST SP 800-37 3.5, 3.7
NIST SP 800-53 AU-4, AU-6, AU-10(3), AU-11, CA-7, IR-4, IR-6, IR-8, SI-2, SI-4 NIST Cybersecurity Framework DE.AE-2-4, DE.CM-1-6, DE.DP-2, RS.MI-2, RC.RP-1 PCI 11.1.2, 11.5.3, 12.8.3, 12.10