Resources & Policies

1.0 Private Information Policy Statement

Andromeda Academy of Construction Services LLC’s (“Andromeda”) written policy regarding information security is intended as a set of comprehensive guidelines and policies designed to safeguard all sensitive data maintained at Andromeda, and to comply with applicable laws and regulations on the protection of Personal Information, as found on records and in systems owned by Andromeda.  

2.0 Overview

In accordance with federal and state laws and regulations, Andromeda is required to take measures to safeguard personally identifiable information, and to provide notice about security breaches of protected information at Andromeda to affected individuals and appropriate state agencies. 

In addition, Andromeda is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at Andromeda.  Andromeda has implemented a number of policies to protect such information.

3.0 Purpose

The purposes of this document are to:

• Establish a comprehensive information security program for Andromeda with policies designed to safeguard sensitive data that is maintained by Andromeda, in compliance with federal and state laws and regulations;
• Establish employee responsibilities in safeguarding data according to its classification level; and
• Establish administrative, technical and physical safeguards to ensure the security of sensitive data. 

4.0 Scope

This Program applies to all Andromeda employees, whether full- or part-time, including faculty, administrative staff, contract and temporary workers, hired consultants, interns, and student employees, as well as to all other members of the Andromeda community (hereafter referred to as the “Community”).  The data covered by this Program includes any information stored, accessed or collected at Andromeda or for Andromeda’s operations. 

4.1 Definitions

Personal Information (PI), is the first name and last name or first initial and last name of a person in combination with any one or more of the following:

• Social Security number;
• Driver’s license number or state-issued identification card number; or
• Financial account number (e.g. bank account) or credit or debit card number that would permit access to a person’s financial account, with or without any required security code, access code, personal identification number, or password. 

For the purposes of this Program, PI also includes passport number, alien registration number or other government-issued identification number.

4.2 Data Classification

All data covered by this policy will be classified into one of three categories outlined below, based on the level of security required for each, starting with the highest level.

Confidential

Confidential data refers to any data where unauthorized access, use, alteration or disclosure of this data could present a significant level of risk to Andromeda or the Community. Confidential data should be treated with the highest level of security to ensure the privacy of that data and prevent any unauthorized access, use, alteration or disclosure.

Confidential data includes any data that is protected by federal or state laws or regulations, including, but not limited to, data protected under the following privacy laws: Health Insurance Portability and Accountability Act of 1996 (HIPAA), Family Educational Rights and Privacy Act (FERPA).  Information protected by these laws includes, but is not limited to, PI, Protected Health Information (PHI), student education records and financial aid information.

Confidential data also includes other sensitive personal and institutional data where the loss of such data could harm an individual’s right to privacy or negatively impact the finances, operations or reputation of Andromeda. This data includes, but is not limited to, donor information, Andromeda financial records, employee salary information, or information related to legal or disciplinary matters.

Internal Use Only

Internal Use Only data refers to any data where unauthorized access, use, alteration or disclosure of this data could present a moderate level of risk to Andromeda.  This data should be limited to access by individuals who are employed by Andromeda and who have legitimate reasons for accessing such data. Any non-public data that is not explicitly designated as Confidential should be treated as Internal Use Only data. A reasonable level of security should be applied to this classification to ensure the privacy and integrity of this data.

Public (or Unrestricted)

Public data includes any information for which there is no restriction to its distribution, and where the loss or public use of such data would not present any harm to Andromeda or members of the Community.  Any data that is not classified as Confidential or Internal Use Only should be considered Public data.  

5.0 Responsibilities

All data at Andromeda is assigned a data owner according to the constituency it represents.  Data owners are responsible for approval of all requests for access to such data. 

Andromeda’s Information Technology department serves as the data stewards for all data stored centrally on Andromeda’s servers and administrative systems.  They are also responsible for the security of such data.  For distributed data stored on departmental servers, the department head or their designee serves as the data steward, and the IT department (does not share/ shares) joint responsibility for securing this data.

Human Resources will inform the IT Department staff about an employee’s change of status or termination as soon as is practicable, but before an employee’s departure date from Andromeda.  Changes in status may include terminations, leaves of absence, significant changes in position responsibilities, transfer to another department, or any other change that might affect an employee’s amount of access to Andromeda data.  The IT Department staff will terminate all of the employee’s account access upon the employee’s termination date from Andromeda, as specified by Human Resources.

Department heads will alert Human Resources at the conclusion of a contract for individuals that are not considered Andromeda employees in order to terminate access to their Andromeda accounts.

The Director of Information Technology and Executive Vice President/VP of Finance are in charge of maintaining, updating, and implementing this Program. 

All members of the Community are responsible for maintaining the privacy and integrity of all sensitive data as defined above, and must protect the data from unauthorized use, access, disclosure or alteration. All members of the Community are required to access, store and maintain records containing sensitive data in compliance with this Program.

5.1 Identification and Assessment of Risks to Andromeda Information

Andromeda recognizes that it has both internal and external risks to the privacy and integrity of Andromeda information. These risks include, but are not limited to:

• Unauthorized access of Confidential data by someone other than the owner of such data
• Compromised system security as a result of system access by an unauthorized person
• Interception of data during transmission
• Loss of data integrity
• Physical loss of data in a disaster
• Errors introduced into the system
• Corruption of data or systems
• Unauthorized access of Confidential data by employees
• Unauthorized requests for Confidential data
• Unauthorized access through hard copy files or reports
• Unauthorized transfer of Confidential data through third parties 

Andromeda recognizes that this may not be a complete list of the risks associated with the protection of Confidential data. Since technology growth is not static, new risks are created regularly. Accordingly, our IT Dept will monitor advisory groups such as the Educause Security Institute and SANS for identification of new risks.

Andromeda believes Andromeda’s current safeguards are reasonable and sufficient to provide security and confidentiality to Confidential data maintained by Andromeda.  Additionally, these safeguards also protect against currently anticipated threats or hazards to the integrity of such information.

5.2 Policies for Safeguarding Confidential Data 

To protect Confidential data, the following policies and procedures have been developed that relate to protection, access, storage, transportation, and destruction of records, computer system safeguards, and training.

Access

• Only those employees or authorized third parties requiring access to Confidential data in the regular course of their duties are granted access to Confidential data, including both physical and electronic records.
• Computer and network access passwords are disabled upon termination of employment or relationship with Andromeda. 
• Upon termination of employment or relationship with Andromeda, physical access to documents or other resources containing Confidential data is immediately prevented. 

Storage

• Members of the Community will not store Confidential data on laptops or on other mobile devices (e.g., flash drives, smart phones, external hard drives).  In rare cases where it is necessary to transport Confidential data electronically, the mobile device containing the data must be encrypted.
• To the extent possible, making sure that all Confidential data is stored only on secure servers maintained by Andromeda and not on local machines, unsecure servers, or portable devices.
• Paper records containing Confidential data must be kept in locked files or other secured areas when not in use.  Once they are no longer needed, they should be shredded using the approved mechanisms.
• Electronic records containing Confidential data must be stored on secure servers, and, when stored on authorized desktop computers, must be password protected. 

Removing Records from Andromeda

• Members of the Community are strongly discouraged from removing records containing Confidential data off campus.  In rare cases where it is necessary to do so, the user must take all reasonable precautions to safeguard the data.  Under no circumstances are documents, electronic devices, or digital media containing Confidential data to be left unattended in any insecure location.
• When there is a legitimate need to provide records containing Confidential data to a third party, electronic records shall be password-protected and/or encrypted, and paper records shall be marked confidential and securely sealed.

Destruction of Confidential Data

• Paper and electronic records containing Confidential data must be destroyed in a manner that prevents recovery of the data. 

Third-Party Vendor Agreements Concerning Protection of Personal Information 

Andromeda exercises appropriate diligence in selecting service providers capable of maintaining appropriate security safeguards for Personal Information provided by Andromeda to them.  

5.3 Computer system safeguards

The IT Department monitors and assesses information safeguards on an ongoing basis to determine when enhancements are required.  Andromeda has implemented the following to combat external risk and secure Andromeda’s network and data containing PI:

• Secure user authentication protocols
• Unique passwords are required for all user accounts; each employee receives an individual user account. 
• Server accounts are locked after multiple unsuccessful password attempts.
• Computer access passwords are disabled upon an employee’s termination.
• User passwords are stored in an encrypted format; root passwords are only accessible by system administrators. 
• Access to specific files or databases containing PI is limited to those employees who require such access in the normal course of their duties.
• Files containing PI transmitted outside of Andromeda’s network are to be encrypted.
• All Andromeda-owned computers and servers are firewall protected and regularly monitored.
• Operating system patches and security updates are installed to all servers.
• Antivirus and anti-malware software is installed and kept updated on all servers and workstations.  Virus definition updates are installed on a regular basis. 

5.4 Unauthorized Access

Any incident of possible or actual unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of PI, or of a breach or attempted breach of the information safeguards adopted under this Program, must be reported immediately to the Director of Information Technology.  The Director of Information Technology will document all breaches and subsequent responsive actions taken.  

6.0 Enforcement

Any employee who willfully accesses, discloses, misuses, alters, destroys, or otherwise compromises data classified as Confidential or Internal Use Only without authorization, or who fails to comply with this Program in any other respect, will be subject to disciplinary action, which may include termination in the case of employees.

7.0 Annual Review

Andromeda will review this Program at least annually and reserves the right to change, modify, or otherwise alter this Program at its sol discretion and at any time as it deems circumstances warrant.

Individuals who participate in events or programs have the right to know of the proprietary interests an instructor may have in a product or service mentioned. Andromeda Academy of Construction Trades LLC is required to disclose each instructor’s proprietary interest in any product, instrument, device, service, or material discussed in the event, or program, as well as the source of any compensation related to the presentation. This information is conveyed to learners prior to the commencement of the learning event.

Neither Andromeda Academy of Construction Trades LLC nor any Andromeda Academy of Construction Trades LLC instructor has proprietary interest in any product, instrument, device, service, or material discussed during the learning event except those offered by Andromeda Academy of Construction Trades LLC.

There is no third-party compensation related to the learning event or program.

Andromeda Academy of Construction Trades LLC regularly reviews its compliance with this policy. Please direct any questions or concerns regarding this policy to our Director of Safety and Training, Jake Toth, jake@andromeda.nyc

Definitions

Third party refers to corporations other than Andromeda Academy of Construction Trades LLC or clients participating in a learning event.

Compensation refers to financial or other benefits provided in return for services.

Andromeda Academy of Construction Trades LLC shall provide equal educational and employment opportunity to qualified individuals without regard to sex, race, color, national origin, ancestry/ethnicity, religion or creed, physical or mental disability, sexual orientation, gender identity/expression, marital or parental status, domestic violence victim status, military or veteran status, genetic predisposition or carrier status or age.

Equal educational opportunity includes, but is not limited to: facilities use, access to course offerings, financial aid and employment.

Equal employment opportunity includes, but is not limited to: recruitment, hiring, assignment of duties, promotion, demotion, transfer, layoff, termination, compensation, training, benefits and all other terms and conditions of employment.

Andromeda Academy of Construction Trades LLC is committed to its support of the principles of equal opportunity for students, faculty and staff and endeavors to enhance diversity within the Andromeda community. Faculty, staff and students are charged with conducting themselves in conformity with these principles and in accordance with this policy.

Inquiries regarding Andromeda Academy of Construction Trades LLC equal opportunity policy should be directed to the Director of Safety and Training, Jake Toth, jake@andromeda.nyc.

Students wishing to attend courses must register and submit payments using credit card or money order no later than 24 hours before course is set to begin. For complete overview, please review our refund, cancellation and missed attendance policies below.

Andromeda Academy REFUND & CREDIT POLICY 

Refund Procedures:All approved and eligible refund requests will be submitted to the financial department and can take up to 3-5 days to be processed.

Refund requests submitted using the online form will be reviewed and processed within 14 days.

• Registrations submitted less than 5 days prior to start of any class will not be eligible for a refund; however a credit will be issued on file for one year.
• Debit/credit card refunds: eligible refund will be returned back to the same card.
• For money order payments, the refund will be issued in the form of a check.

No refunds will be issued after 60 days of the original payment date. Clients requesting a refund after the 60-day period will only be issued a credit that will remain on file for up to 1 year.

Cancellations: If Andromeda Academy cancels a training course due to any unforeseen circumstance, the student is entitled to a full refund.

Cancellation and/or rescheduling requests must be received in writing via email or via telephone. The student is responsible for ensuring that Andromeda Academy receives your request. Attendees must cancel at least 5 days prior to the course date to receive a full refund.

If a client is attending a course they no longer need or qualify for, they will only be issued a refund should they make such a claim at the start of training at a time no later than the first class break.

No Shows/Missed Attendance: If a student misses a course without providing at least 5 days’ notice from the start of class, Andromeda Academy will only issue the student credit on file for the full payment, which will remain on file for up to 1 year.

Should a student reschedule their original course date and then fail to attend the rescheduled date as well, a 25% deposit will be retained and the remaining payment will be saved as credit on file for up to 1 year.

Certificate Policies: Andromeda Academy can re-issue a course completion certificate, CEU certificate, OSHA card, scaffold card, or other training cards per student request. In order to re-issue a duplicate course completion certificate or card, the student’s attendance and successful completion of our training program must first be verified. A photo I.D MUST be provided at the time the completion certificate or card is released.

The fee for duplicate certificate request(s) is as follows:

• First Request: $30
• Second Request: $50

The fee for duplicate OSHA card request is as follows:

• OSHA Card Request: $30

The fee for duplicate completion card request is as follows:​

• First Request: $30
• All Other Requests: $50

If a student would like to request a duplicate course completion certificate or card, simply fill out the duplicate request form and submit it to our office via fax, email, or in person. Full payment must be received in order to process your duplicate request.

For additional information and/or assistance, please call us at 347.510.4283, Monday through Friday, 9am-5pm EST, or email us at info@andromedaacademy.com.