Security

1. Security Governance

• We have a Security Steering Group (SSG) who oversees our security posture and reports directly to our board.
• Every team member is informed of their security responsibilities, promoting a culture of accountability and vigilance.

2. Data Protection and Privacy

• Our data, both in transit and at rest, is encrypted to safeguard its confidentiality and integrity.
• We classify our data meticulously and manage it according to its sensitivity, ensuring compliance with global data protection regulations.
• Annual audits are planned to ensure ongoing compliance with standards such as GDPR and CCPA, reinforcing our commitment to data privacy.

3. Access Control

• By adhering to the principle of least privilege and implementing role-based access control (RBAC), we ensure that access to sensitive information is strictly regulated.
• Multi-factor authentication (MFA) is a standard practice for accessing our systems, enhancing our security framework.
• Access permissions are regularly reviewed and adjusted in response to role changes or employment status updates, maintaining the integrity of our access control measures.

4. Incident Response and Management

• We have a robust incident response plan that outlines clear procedures for managing security incidents, including how we notify affected customers and stakeholders.
• Through regular drills, we ensure our team is prepared to respond effectively to security incidents.
• Compliance with legal and regulatory reporting requirements is strict, with significant incidents reported to authorities within the mandated timeframe.

5. Network Security

• Our network is protected with firewalls, intrusion detection, and prevention systems, monitoring and safeguarding our traffic 24/7.
• Network security assessments and penetration testing are performed regularly, identifying and mitigating vulnerabilities proactively.

6. Application Security

• We follow a secure software development lifecycle (SDLC) that integrates security reviews, vulnerability assessments, and code analysis.
• Application vulnerabilities are routinely scanned using advanced security tools, ensuring our applications are resilient against attacks.
• We strive to keep all third-party software and dependencies updated automatically, minimizing the risk posed by known vulnerabilities.

7. Employee Training and Awareness

• Security awareness training is an ongoing activity for all employees, covering critical topics such as phishing and secure internet practices.
• Employees are encouraged to report any suspicious activity to the SSG, contributing to our proactive security stance.

8. Vendor and Third-Party Security

• We rigorously assess the security practices of third-party vendors before and during our engagement with them.
• Our contracts with vendors include specific security requirements and obligations, ensuring they meet our high standards.
• Vendor compliance is continuously monitored, managing the risks associated with third-party access to our data effectively.

At We Are Learning, these practices are not just policies; they are the foundation of our daily operations, ensuring the security and trust of our customers and partners.