John Glenn School Corporation
Administrative Guidelines
 

8305A - INFORMATION SECURITY RESPONSIBILITIES

The School Corporation collects and retains large amounts of data/information that must be protected and preserved.

To strengthen the security of Corporation Technology Resources (see definition Bylaw 0100) and Information Resources (see definition Bylaw 0100), the Corporation has developed a series of information security policies available through the Corporation’s website.

For user convenience, a brief summary of the key requirements of these policies follows. Please address any questions to the Corporation’s Information Technology Office at asteg@jgsc.k12.in.us or call 574-586-3129.

All computer users are required to certify annually that (1) they have read the information security policies identified in this document, and (2) they understand and agree to abide by the information security policies applicable to them. Appropriate training will be provided to all users.

Expectations for All Technology Users

This document summarizes the School Board’s information security policies. Users of the Corporation’s Technology Resources must read these summaries, and affirm that they understand and will fulfill their responsibilities under the applicable policies.

 

A.

In many cases, operating system and application updates, along with malware protection, are all that stand between a computer and a system compromise or infection. The Corporation’s Technology Resources are regularly updated and malware protection is provided.

     
 

Users are responsible for verifying their computers are configured to receive automated patches, and ensuring the automated updates run so that security vulnerabilities are patched in a timely manner.

   
 

Users also must verify their malware protection is properly installed, updated, and is running the latest virus definitions.

   
 

Users’ school or department IT support staff are available to assist with these responsibilities.

   
 

If Corporation users access Corporation Technology Resources using personal communication devices, they must verify proper security measures are active on their devices.

     
 

B.

No software is 100% effective in preventing compromises or infections, and not all websites are safe. Users must be alert when using the Internet, especially on systems storing or processing protected and confidential data/information. One way to reduce the risk of compromise is to limit the user's non-work related Internet activity.

     
 

C.

Because Confidential Data/Information exists in many forms (e.g., written, spoken, electronically recorded, printed, etc.) users are responsible for properly securing this data/information at all times. This may take the form of physical security (e.g., locked cabinets, locked doors, locked building) or through digital security (e.g., passwords, biometric authentication, encryption). All users with access to the Corporation’s Confidential Data/Information are:

     
 

1.

required to activate their device’s available security feature(s) that prevent direct access to the data/information on the device without first verifying the identity of the user via a secure method (e.g., passcodes, biometrics, user id/password). This applies to both personal and Corporation-provided devices when Corporation Confidential Data/Information may be stored on that device (e.g., email, student records, etc.). Users are prohibited from storing Corporation Confidential Data/Information on any device that does not meet this basic level of security;

     
 

2.

prohibited from storing Confidential Data/Information on any mobile/portable storage device (e.g., USB flash cards, CD-ROMs, etc.) that is not encrypted or password protected;

     
 

D.

Corporation Confidential Data/Information includes many different types of data/information, such as social security numbers, personal health information, student records, and bank and credit card information, or other personally identifiable information.

     
 

E.

Corporation Confidential Data/Information must never be shared through instant messaging or peer-to-peer (P2P) file-sharing software or devices. P2P software must never be installed on machines or devices that store, process, or access confidential data/information. Corporation users are required to obey copyright laws and to adhere to the acceptable use policy (Policy 7540.03/Policy 7540.04).

     
 

F.

Corporation Confidential Data/Information must be accessed through one of the following methods only: (1) user authentication with the correct password; (2) multi-factor authentication, such as a smart card in combination with a password; or (3) biometric identification approved by the Corporation’s Information Technology Office. Some networked storage options supplied by the Corporation are not suitable for the storage of Corporation Confidential Data/Information because they do not conform to these access requirements. Likewise, third party consumer cloud computing or software-as-a-service offerings such as Dropbox, Google Docs, iCloud, and other similar offerings are not acceptable for the storage of Corporation Confidential Data/Information unless the Corporation has a current contract with these providers that includes data/information security. If a user is not sure if a storage location is secure, the user should contact the Corporation’s Technology Office.

     
 

G.

Machines and devices that store Corporation Confidential Data/Information, or that are used to access mission critical systems (e.g., SIS, ERP, Payroll), must be used only in areas with restricted or controlled access and must be locked whenever they are left unattended. It is recognized that requiring re-authentication for teachers every 120 minutes may be disruptive to teaching. Therefore, it is the teacher’s responsibility to appropriately protect Confidential Data/Information in the classroom by ensuring students, parents, volunteers, visitors, or others without authorization to view/access the data/information do not view/access it when the Confidential Data/Information is in use.

     
 

H.

Corporation Confidential Data/Information maintained on computers or other electronic devices should be destroyed or disposed of only in accordance with Board policy and State law. Any school or department intending to surplus computing devices and or printer/copy machines or any other device that stores information must first destroy the electronic information by wiping the data from the hard drive(s) or flash storage, or by having this done by authorized Corporation personnel and keeping the devices physically secure until transfer to Corporation Surplus.

     
 

I.

Users must maintain strong passwords for every Corporation system and application they access that stores/processes Corporation data/information. Users must change all passwords used for Corporation systems in accordance with the Corporation’s password requirements.

     
 

J.

Per the Board’s e-mail policy, users always must use their official Corporation-supplied e-mail address for official business. Auto-forwarding of Corporation e-mail accounts is prohibited. Manual forwarding of individual e-mail messages is permitted.

     
 

K.

Users must report immediately any lost or stolen mobile/portable devices (e.g., laptops, smartphones) or security breaches (e.g., computer viruses, hacking attempts) to the Corporation’s Information Technology Office and/or the Corporation Security Office. If a user suspects Corporation Confidential Data/Information or mission critical systems and resources are at risk, the user must make this point clear when submitting a report. Also, if a user suspects Corporation Confidential Data/Information is at risk, the user should avoid taking any actions such as manually scanning the computer with antivirus software. Information Technology and/or Security employees will assess what needs to be done.

     
 

L.

Users must be mindful of the risks associated with Corporation Confidential Data/Information when storing, processing, or accessing data/information. If a user is unsure how to comply fully with Board policies or procedures or if the user is unsure how to conduct a process securely, the user should ask for assistance from the school or department IT support contact or the Corporation’s Information Technology Office. Users are expected to know their school’s/department’s information technology contact so that they can contact him/her when there is a need.

Expectations for Administrative Personnel

In addition to the preceding, administrative personnel also must understand and fulfill the following responsibilities. Appropriate training will be provided.

 

A.

Each Corporation school or department that is responsible for maintaining its Technology Resources and Information Resources must have a designated information technology contact, plus a designated backup information technology contact. The Corporation’s Information Technology Office monitors the duties, responsibilities, and training of information technology contacts. Each site or department administrator that maintains its own information technology must verify that its IT support personnel have been trained to maintain the unit’s IT resources in compliance with all of the Corporation’s information security policies and procedures.

     
 

B.

Each Corporation school or department that stores Corporation Confidential Data/Information or that operates mission critical systems must work with the Corporation’s Information Technology Office to perform regular vulnerability scans.

     
 

C.

Each Corporation school or department administrator that maintains its own information technology is responsible for reporting immediately to the Corporation’s Information Technology Office or Security Office any time there is reason to suspect that the security of Corporation Confidential Data/Information or of a mission critical system (e.g., Human Resources, Finance, Student Information Services, Payroll, e-mail, etc.) has been compromised or is at risk.

Expectations for Technology Support Personnel

In addition to all of the above, technology personnel, regardless of the school or department to which they are assigned, also must understand and fulfill the following responsibilities. Appropriate training will be provided.

 

A.

IT personnel must read, understand and comply with the Board’s policies and procedures that govern the use, operation and protection of IT systems and resources. The information technology security standards described in the information security policy are minimum standards required for the protection of Corporation systems, including those that store/process Corporation Confidential Data/Information or that are considered mission critical. Site and department IT resources for which an IT support employee is responsible must be managed in compliance with these policies and procedures. If technology personnel have questions or need assistance, it is the employee’s responsibility to contact his/her Principal and/or the Corporation’s Information Technology Office.

     
 

B.

IT personnel are responsible for enforcing Corporation password requirements for the systems and applications the IT personnel manage. System and application administrators must configure all Corporation-owned and managed IT devices/systems to implement the password requirements to the degree technically feasible, in compliance with the Corporation’s password standards.

     
 

C.

If a user is unsure how to transfer Corporation Confidential Data/Information, the user should contact the school/department technology contact for assistance. If the school/department technology contact is unsure of the proper method to transfer the Confidential Data/Information, the request should be referred to the Corporation’s Information Technology Office.

     
 

D.

IT personnel must report system and application vulnerabilities to the Principal and/or the Corporation’s Information Technology Office.

     
 

E.

The Corporation Information Technology Office will perform regular vulnerability scans of Corporation Technology Resources.

     
 

F.

If technology personnel suspect that the security of any data/information or of a mission critical system (e.g., Human Resources, Finance, Student Information Services, Payroll, e-mail, etc.) has been compromised or is at risk, it is their responsibility to report that immediately to the Corporation’s Information Technology Office and/or Security Office. No action should be taken that might inhibit investigation of an incident or make unavailable information that might assist the investigation.

     
 

G.

Technology personnel are required to follow incident handling instructions as specified in the incident management policy and/or as directed by the Corporation’s Information Technology Office or Security Office in response to potentially unauthorized access of protected information.

Key Information Security Policies and Administrative Procedures

Below are brief descriptions of the Corporation’s policies and procedures related to information security. The full text of each policy or procedure can be found on the Corporation’s website.

Policies

 

A.

Policy 7540 – Technology – Authorizes the development of a Corporation Technology Plan to facilitate effective use of Corporation Technology Resources that support student learning and/or Corporation business operations.

     
 

B.

Policy 7540.02 – Web Content, Services and Apps – Addresses the requirements for creation of Corporation-authorized websites, services and apps by employees and students.

     
 

C.

Policy 7540.03 – Student Technology Acceptable Use and Safety – Describes student use of Corporation Technology Resources, expectations of privacy, Corporation technology protection measures, areas for student training, and assigned school e-mail accounts.

     
 

D.

Policy 7540.04 – Staff Technology Acceptable Use and Safety – Describes staff use of Corporation Technology Resources.

     
 

E.

Policies 7540.05 and 7540.06 – Proper Use of Corporation-Issued E-mail Account – Establishes a framework for proper use of Corporation issued e-mail accounts as an official business or educational tool for staff and students.

     
 

F.

Policy 8300 - Continuity of Organizational Operations Plan - Authorizes the creation of a COOP to provide the Corporation with the capability of conducting its essential operations under all threats and conditions with or without warning.

     
 

G.

Policy 8305 – Collection, Classification, Retention, Access and Security of Corporation Data/Information – Authorizes the Superintendent to develop internal controls necessary to provide for the proper collection, classification, retention, access, and security of data/information to include procedures in the event of an unauthorized release of information and training for staff.

Administrative Guideline/Procedures

 

A.

AG 8305A – Staff Information Security Responsibilities – Review of what every computer user, administrator, and technology support employee should know in order to ensure the security of Corporation information.

     
 

B.

AG 7540B – Technology Director – Describes the responsibilities for the position of Technology Director.

     
 

C.

AG 7540C – Technology Governance Committee – Presents the requirements for establishing a Corporation Technology Governance Committee that will create standards and procedures for proper management and protection of Corporation technology resources.

     
 

D.

AG 7540A – Staff and Student Training Regarding the Internet – Describes areas to be included in training of staff and student in the proper use of the Internet.

     
 

E.

AG 8305 – Classification, Retention, Access and Security of Corporation Data/Information – Provides a framework that Corporation employees can use to classify data/information for the purpose of determining the data/information’s need for protection.

     
 

F.

AG 8305B - Information Security Incident Management – Presents requirements for managing and reporting information security incidents.

     
 

G.

AG 8305C – Notification of Information Security Incident – Describes procedures for prompt notification of appropriate personnel in the event of a security breach.

Approved 9/26/17

© Neola 2017