Website Security Policy for Legacy Homeschool

Effective Date: June 26, 2026
Applicability: All administrators, instructors, volunteers, and third-party vendors.

1. Purpose & Scope

This policy establishes the security requirements for legacyhomeschool.net. It aims to protect the confidentiality, integrity, and availability of student records, parental data, and educational resources. This policy applies to all systems, networks, and databases associated with the website.

2. Data Protection & Privacy

  • Data Classification: All student grades, enrollment records, and parental billing data are classified as Confidential.

  • Regulatory Compliance: The website must comply with the Children’s Online Privacy Protection Act (COPPA) by strictly forbidding the collection of personal data from children under 13 without verifiable parental consent.

  • Transit Encryption: Hypertext Transfer Protocol Secure (HTTPS) utilizing Transport Layer Security (TLS 1.3) must be enforced across all pages.

  • Storage Encryption: All sensitive data, including passwords and payment tokens, must be encrypted at rest using AES-256 standards.

3. Access Control & Authentication

  • Principle of Least Privilege: Users (teachers, parents, students) will only have access to the specific data required to perform their tasks.

  • Multi-Factor Authentication (MFA): Mandatory for all administrative and instructor accounts.

  • Password Complexity: Passwords must require a minimum of 12 characters, including uppercase, lowercase, numbers, and symbols.

  • Session Management: Idle administrative sessions must automatically log out after 15 minutes of inactivity.

4. Technical Safeguards & Vulnerability Management

  • Content Security Policy (CSP): HTTP headers must be configured to restrict script execution to trusted domains, preventing Cross-Site Scripting (XSS).

  • Input Validation: All user-facing forms must use strict input sanitization to prevent SQL injection and code injection attacks.

  • Software Updates: The core Content Management System (CMS), plugins, and server software must be patched within 48 hours of a critical security release.

  • Backups: Full, encrypted backups of the website and database must be generated daily and stored in a secure offsite location.

5. Incident Response & Breach Notification

  • Detection: Automated logging must track failed login attempts, unauthorized file changes, and database anomalies.

  • Containment: In the event of a breach, the compromised system must be isolated immediately to prevent data exfiltration.

  • Notification: If student or parental data is compromised, affected users must be notified via email within 72 hours of breach confirmation.

Copyright © 2023 Legacy Homeschool Academy. All rights reserved

IRS 501(c)(3) Approval Letter
Articles of Incorporation
SC Secretary of State Search
Bylaws