John Glenn School Corporation
Administrative Guidelines
 

8305B - INFORMATION SECURITY INCIDENT MANAGEMENT

This administrative guideline governs the reporting and management of security incidents involving the Corporationís Information Resources (as defined in Bylaw 0100).

Every Board member, staff member/employee, student, parent, contractor/vendor, and visitor to school property who accesses Corporation-owned or managed information through computing systems or devices ("users") must report information security incidents (as defined below) promptly per the procedures described herein.

When an information security incident involves Corporation Confidential Data/Information (as defined below) or mission critical devices (as defined below), the Superintendent/Technology Director/Corporationís Information Technology Office shall, in coordination with the Corporationís Security Office, direct the incident response and investigation. The Technology Director is authorized, in conjunction with the Superintendent, to take any action necessary to mitigate the risk posed by the information security incident.

An employee who puts Corporation Confidential Data/Information at risk as a result of his/her failure to adhere to relevant policies/administrative guidelines/the law may be subject to disciplinary consequences, up to and including termination of employment and/or referral to law enforcement. Students who fail to adhere to applicable policies/administrative guidelines/the law will be referred to school and/or Corporation administration for review and determination of the consequences of their actions, including referral to law enforcement. Contractors and vendors who fail to adhere to applicable policies/administrative guidelines/the law may face termination of their business relationships with and/or legal action by the Corporation. Parents and visitors who fail to adhere to applicable policies/administrative guidelines/the law may be denied access to Corporation Technology and Information Resources and/or referral to law enforcement. Violations can in some cases also carry the risk of civil or criminal penalties.

The Technology Coordinator is responsible for establishing and maintaining an up-to-date information security management plan.

The school site administrator (e.g., the Principal) or the Corporation-wide department administrator, along with the Tech Specialist, are responsible for reporting information security incidents at their site.

Definitions

 A.Incident Management Plan
  The IT Department, in conjunction with Department/Building Leaders, must develop and maintain a plan that contains procedures on how to handle information security incidents, including contact information for department or building personnel with responsibility for responding to an incident, plans to contain an incident, and procedures on how to restore information.

 B.Information Security Incident
  Includes any incident that is known or has the potential to negatively impact the confidentiality, integrity, or availability of Corporation information/data. This can range from the loss of a laptop, tablet or other mobile/portable storage device, the virus infection of an end-user workstation, or a breach of a Corporation system by a hacker.

 C.Mission Critical Resource
  Includes any resource that is critical to the mission and operation of the Corporation and any device that is running a mission critical service or stores Corporation Confidential Data/Information. Mission critical services must be available. Mission critical resources for information security purposes include, for example, information/data assets, software, hardware, and facilities related to Human Resources, Finance, Student Information Services, Payroll, email.

 D.Corporation Confidential Data/Information
  Includes all data, in its original and duplicate form, that contains:

  1."personal identifying information", as defined by State and Federal laws;
   This includes employer tax ID numbers, drivers' license numbers, passport numbers, SSNs, State identification card numbers, credit/debit card numbers, banking account numbers, PIN codes, digital signatures, biometric data, fingerprints, passwords, and any other numbers or information that can be used to access a person's financial resources.

  2."protected health information" as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA);

  3.student "education records", as defined by the Family Educational Rights and Privacy Act (FERPA) and State law;

  4.information that is deemed to be confidential in accordance with the Indiana Access to Public Records Act (APRA).

Adherence to the procedures outlined below will streamline the handling of information security incidents and minimize the timeframe during which Corporation Confidential Data/Information and mission critical resources are left in a vulnerable state.

Incident Reporting

Given the risks associated with information security incidents, as well as implications for the Corporation related to compliance with Federal and State regulatory requirements, it is essential that school site administrators and Corporation department administrators be aware of information security issues and their responsibilities for reporting and mitigating information security risks.

School site administrators and Corporation department administrators who manage business units that maintain and manage their siteís Information Resources must designate employees as primary and back-up information security contacts, provide the Corporationís Information Technology Office with the names and contact information of these individuals, update this information whenever it changes, and verify that these contacts are trained by the Corporationís Technology Office to perform their duties.

Each information security contact shall serve as an intermediary between his/her respective Corporation school site or department and the Corporationís Information Technology Office and must assist the site or department s/he serves in implementing information security policies and information security initiatives, including training of school site/department staff and in responding to data breach incidents, all in close coordination with the Corporationís Information Technology Office.

Every technology user, including Board members, staff members/employees, students, parents, contractors/vendors, and visitors to campus, who has access to Corporation-owned or managed Information Resources and who suspects that there may have been an information security incident (ranging from a lost or stolen laptop, tablet or other mobile/portable storage device, the virus infection of an end-user work station, or a major intrusion by a hacker) must promptly report the incident to his/her Principal or director/manager and/or the information security contact for that school site or department.

The information security contactís roles and responsibilities include, but are not limited to:

 A.serving as a single point of contact for the Corporationís Information Technology Office regarding security efforts and information security incidents that affect Corporation school sites and department;

 B.aiding the Corporationís Information Technology Office in improving information security in the Corporation by coordinating with them on security matters;

 C.working with the Corporationís Information Technology Office on incident management and response as well as assisting the Corporationís Information Technology Office, as needed, in certain activities including coordinating the following with the Corporationís Technology Office:

  1.ensuring proper identification and classification of mission critical devices and Technology Resources storing Corporation Confidential Data/Information within their school site or department;

  2.advising and training their siteís administration, faculty, and staff on the implementation of appropriate security controls for Technology Resources (as defined In Bylaw 0100) and Information Resources;

  3.meeting periodically with the Corporationís Information Technology Office to move forward Corporation security initiatives for their respective school site or department;

  4.maintaining an up-to-date list of staff/users with access to Corporation Confidential Data/Information and Controlled Data/Information in their working group and promptly notifying the Corporationís Information Technology Office of any personnel changes, including transfers within the Corporation;

  5.providing basic security advice for all assigned systems and users within their school site or department;

  6.ensuring timely compliance with security awareness requirements, including appropriate refresher training and training of new employees;
   In consultation with the Principal, the information security contact will oversee the school siteís or departmentís compliance with applicable State and Federal laws as well as Board policies regarding Corporation Confidential Data/Information.

  7.ensuring that any detected vulnerabilities are remediated in a timely manner;

  8.advising their school site or department regarding the implementation of appropriate security controls consistent with the Corporationís information security policy;

  9.collecting incident response information;
   The information security contact must timely notify the Corporationís Information Technology Office of any information security incidents for their respective school site or department consistent with the incident management procedure. In addition, the contact must provide a timely and comprehensive response to information security incidents in coordination with the Corporationís Information Technology Office.

  10.coordinating with the Corporationís Information Technology Office regarding the Corporationís information security strategic initiatives.

Each information security incident will be classified accordingly to the following "levels":

Incident

   

Level

Examples

Investigation Type

     

Level 1

Violation of Board policies and

Basic investigation of an

 

administrative guidelines that

incident.

 

relate to technology and

 
 

information security.

 
     
 

A virus or malware detection.

Remediation advice for an

   

incident is provided.

     
   

Device isolation, if necessary.

     
     

Level 2

Unauthorized computer/network

Investigation of the incident.

 

access, misuse, or user permission

 
 

issue. Computer/system theft,

Notification will be provided if

 

damage or loss. Malicious Denial

applicable pursuant to

 

of Service Attack or other attempt

AG 8305C

 

to interrupt normal operations.

 
     

Incident

   

Level

Examples

Investigation Type

     

Level 3

Hacking or system breach to

Investigation of a likely or

 

core/mission critical systems.

confirmed breach of a system

 

Unauthorized release of

processing/storing Corporation

 

Corporation Confidential

Confidential Data/Information

 

Data/Information

or a mission critical system.

     
   

Investigation of information

   

technology relevant issues

   

performed in support of criminal

   

or civil cases, as well as

   

Corporation internal

   

investigations.

     
   

Notification will be provided if

   

applicable pursuant to

   

AG 8305C.

In the event of a possible Level 2 or 3 information security incident, the user or administrator of the potentially compromised system or device should work with the school siteís or departmentís information security contact to preserve all evidence, including leaving the possibly compromised machine powered up and online, and refraining from accessing the system or machine in any way. The information security contact will then report the incident to the Corporationís Information Technology Office and/or Security Office. The Corporationís Information Technology Office and the Security Office will advise how best to proceed for purposes of preserving evidence and constructing an audit trail for the investigation of the incident. As appropriate, the Corporationís Security Office will coordinate with public safety and law enforcement officials.

The Superintendent will coordinate all external communications with the media or the public related to any information security incident.

Approved 9/26/17

© Neola 2017