Wayne County School District strives to be a leader in educational technology.
Wayne School District (WSD) supports secure network systems, including security for all personally identifiable information that is stored on paper or stored digitally on WSD-maintained computers and networks. This policy supports efforts to mitigate threats that may cause harm to the district, schools, students, or employees at WSD.
WSD will ensure reasonable efforts will be made to maintain network security. Data loss can be caused by human error, hardware malfunction, natural disaster, security breach, etc., and may not be preventable.
All persons who are granted access to the WSD network and other technology resources are expected to be careful and aware of suspicious communications and unauthorized use of devices on the network. When an employee or other user becomes aware of suspicious activity, he/she is to immediately contact the network administrator with the relevant information.
This policy also covers third party vendors/contractors that contain or have access to WSD critically sensitive data. All third party entities will be required to sign the Restriction on Use of Confidential Information Agreement before accessing our systems or receiving information.
It is the policy of WSD to fully conform with all federal and state privacy and data governance laws. Including the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 (hereinafter “FERPA”), the Government Records and Management Act U.C.A. §62G-2 (hereinafter “GRAMA”), U.C.A. §53A-1-1401 et seq. and Utah Administrative Code R277-487.
The board directs the WSD IT Director to develop procedures to support this policy. Employees are required to follow the procedures developed by the IT Director. Professional development for staff regarding the importance of network security and best practices is to be included in the procedures. Students are also required to follow the procedures as applicable. The procedures associated with this policy are consistent with guidelines provided by cyber security professionals worldwide and in accordance with Utah Education Network. The board supports the development, implementation and ongoing improvements for a robust security system of hardware and software that is designed to protect data, users, and electronic assets.
WSD Security Procedures
Access: Directly or indirectly use, attempt to use, instruct, communicate with, cause input to, cause output from, or otherwise make use of any resources of a computer, computer system, computer network, or any means of communication with any of them.
Authorization: Having the express or implied consent or permission of the owner, or of the person authorized by the owner to give consent or permission to access a computer, computer system, or computer network in a manner not exceeding the consent or permission.
Computer: Any electronic device or communication facility that stores, retrieves, processes, or transmits data.
Computer system: A set of related, connected or unconnected, devices, software, or other related computer equipment.
Computer network: The interconnection of communication or telecommunication lines between: computers; or computers and remote terminals; or the interconnection by wireless technology between: computers; or computers and remote terminals.
Computer property: Includes electronic impulses, electronically produced data, information, financial instruments, software, or programs, in either machine or human readable form, any other tangible or intangible item relating to a computer, computer system, computer network, and copies of any of them.
Confidential: Data, text, or computer property that is protected by a security system that clearly evidences that the owner or custodian intends that it not be available to others without the owner's or custodian's permission.
Encryption or encrypted data: The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.
Personally Identifiable Information (PII): Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered Protected data
Security system: A computer, computer system, network, or computer property that has some form of access control technology implemented, such as encryption, password protection, other forced authentication, or access control designed to keep out unauthorized persons.
Sensitive data: Data that contains personally identifiable information.
System level: Access to the system that is considered full administrative access. Includes operating system access and hosted application access.
District IT security shall be the primary responsibility of the District IT Department, led by the IT Director. The IT Department shall be responsible for the development of policies and adherence to the standards defined in this document.
WSD, led by the IT Director, shall ensure that all employees having access to sensitive information undergo annual IT security training which emphasizes their personal responsibility for protecting student and employee information. Training resources will be provided to all employees.
These methods help ensure employees have a solid understanding of our security policy, procedures, and best practices. Employees shall also have a basic understanding of the following security related topics: social engineering tactics, email and messaging security, safely browsing the internet, social networking threats, mobile device security, password best practices, data classification, data transmission and encryption, data destruction, WiFi security, working remotely, insider threats from students and staff, physical security issues, protecting personal/work computers, copyright infringements, malware and virus protection, sharing files with local and state entities, and workspace security.
All WSD employees shall receive security specific trainings Annually.
The workstations at WSD contain sensitive information and data. WSD IT Department will implement procedures to ensure that this information will be secure.
WSD shall ensure that any user’s computer must not be left unattended and unlocked, especially when logged into sensitive systems or data including student or employee information. Automatic log off, locks and password screen savers should be used to enforce this requirement.
Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information; including personally identifiable information (PII) and that access to sensitive information is restricted to authorized users.
○ Restricting physical access to workstations to only authorized personnel.
○ Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
○ Enabling a password protected screensaver with a 15 minutes or less to ensure that workstations that were left unsecured will be protected. The password must comply with WSD Password Procedure.
○ Complying with all applicable password policies and procedures. See WSD Password Procedure.
○ Ensuring controlled workstations are used for authorized business purposes only. Never installing unauthorized software on controlled workstations.
○ Storing all sensitive information, including personally identifiable information (PII) on secured network servers
○ Securing laptops that contain sensitive information by locking laptops up in drawers, cabinets or in a classroom/office.
○ Enable Workstation Encryption
○ Users are not set up as computer administrators
Network security entails protecting the usability, reliability, integrity, and safety of network and data. Effective network security defeats a variety of threats from entering or spreading on a network. The primary goals of network security are Confidentiality, Integrity, Availability and Accountability.
The minimal security configuration required for all routers and switches connecting to a production network or used in a production capacity at or on behalf of WSD. WSD shall ensure that all untrusted and public access computer networks are separated from main computer networks and utilize security policies to ensure the integrity of those computer networks. WSD will utilize industry standards and current best practices to segment internal computer networks based on the data they contain. This will be done to prevent unauthorized users from accessing services unrelated to their job duties and minimize potential damage from other compromised systems.
Network perimeter controls will be implemented to regulate traffic moving between trusted internal (WSD) resources and external, untrusted (Internet) entities. All network transmission of sensitive data should enforce encryption where technologically feasible.
Network security entails protecting the usability, reliability, integrity, and safety of network and data. Effective network security defeats a variety of threats from entering or spreading on a network. The primary goals of network security are Confidentiality, Integrity, and Availability.
No wireless access point shall be installed on WSD computer network that does not conform to current network standards as defined by the IT Department. WSD shall scan for and remove or disable any rogue wireless devices on a regular basis. All wireless access networks shall conform to current best practices and shall utilize at minimal WPA2 encryption for any connections. Open access networks are not permitted with the exception of a managed guest network.
Wireless Network controls will be implemented to regulate traffic moving between trusted internal (WSD) resources and external, untrusted (Internet) entities. All network transmission of sensitive data should enforce encryption where technologically feasible.
Remote access allows a user to connect from outside the WSD organization network. This procedure applies to all WSD employees, contractors, vendors and agents with a WSD owned or personally owned computer or workstation used to connect to the WSD network. This procedure applies to remote access connections used to do work on behalf of WSD
The purpose of this procedure is to define standards for connecting to WSD network from any host. These standards are designed to minimize the potential exposure to WSD from damages, which may result from unauthorized use of WSD resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical WSD internal systems, etc. Remote access implementations that are covered by this procedure include, but are not limited to DSL, VPN, and SSH.
It is the responsibility of WSD employees, contractors, vendors and agents with remote access privileges to WSD network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to WSD.
Please review the following procedures to ensure protection of information when accessing the WSD network via remote access methods, and acceptable use of WSD network:
Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or the entire network. This guideline provides best practices for creating secure passwords.
The purpose of this procedure is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change. This procedure applies to all personnel and entities working on behalf of WSD, who have or are responsible for any account (or any form of access that supports or requires a password) on any system that resides at or is connected to WSD.
To minimize the possibility of unauthorized access, all passwords should meet or exceed the guidelines for creating strong passwords.
Protection of passwords
Access control is the process of authorizing users, groups, and computers to access objects on the network or computer. It is a good practice to assign permissions to groups because it improves system performance when verifying access to an object.
The purpose for setting access control in the WSD organization provides system and application access based upon the least amount of access to data and programs required by the user in accordance with a business need-to-have requirement.
This procedure is directed to the IT Management Staff who is accountable to ensure proper access is given to individual employees.
A Security Response Plan (SRP) provides the impetus for security and operational groups to integrate their efforts from the perspective of awareness and communication, as well as coordinated response in times of crisis (security vulnerability identified or exploited). Specifically, an SRP defines a product description, contact information, escalation paths, expected service level agreements (SLA), severity and impact classification, and mitigation/remediation timelines.
The purpose of this procedure is to establish the requirement that all operational groups supported develop and maintain a security response plan. This ensures that the security incident response team has all the necessary information to formulate a successful response should a specific security incident occur. This procedure applies any established and defined operational group or entity within the WSD.
The development, implementation, and execution of a Security Response Plan (SRP) are the primary responsibility of the WSD director and network administrator.
The product description in an SRP must clearly define the service or application to be deployed with additional attention to data flows, logical diagrams, architecture considered highly useful.
The SRP must include contact information for dedicated team members to be available during non-business hours should an incident occur and escalation be required. This may be a 24/7 requirement depending on the defined business value of the service or product, coupled with the impact to customer. The SRP document must include all phone numbers and email addresses for the dedicated team member(s).
The SRP must define triage steps to be implemented with the intended goal of swift security vulnerability mitigation. This step typically includes validating the reported vulnerability or compromise.
The SRP must include a defined process for identifying and testing mitigations prior to deployment. These details should include both short-term mitigations as well as the remediation process.
The SRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact.
Since disasters happen so rarely, management often ignores the disaster recovery planning process. It is important to realize that having a contingency plan in the event of a disaster gives WSD an advantage. This procedure requires management to financially support and diligently attend to disaster contingency planning efforts. Disasters include, but are not limited to adverse weather conditions. Any event that could likely cause an extended delay of service should be considered.
This procedure defines the requirement for a baseline disaster recovery plan to be developed and implemented by WSD that will describe the process to recover IT Systems, Applications and Data from any type of disaster that causes a major outage.
This procedure is directed to the IT Management Staff who is accountable to ensure the plan is developed, tested and kept up to date. This procedure is solely to state the requirement to have a disaster recovery plan, it does not provide requirement around what goes into the plan or sub plans. The WSD director and IT director will develop the following contingency plans.
The following contingency plans must be created:
○ Location of installation software
○ Backup frequency and storage locations
○ Username and passwords
○ Support phone numbers
○ Steps to restart, reconfigure, and recover the system
○ Power up and power down procedures
○ Equipment age
○ Model and serial numbers
○ Warranty and maintenance contract information
○ Software licensing information and storage location
○ IP and MAC addresses
○ Supplier contacts for sources of expertise to recover systems. These might include vendors that sell/support the products, or the manufacturers themselves
○ Website username and password
○ Server username and password
○ Assigned computer username and password
Malicious Software is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. It may be stealthy, intended to steal information or spy on computer users for an extended period without their knowledge.
The purpose of the procedure is to ensure that malicious software protection will include frequent update downloads (minimum weekly), frequent scanning (minimum weekly), and that malicious software protection is in active state (real time) on all operating servers/workstations.
This procedure is directed to the IT Management Staff who is accountable to ensure the security of district networks and data.
Internet content filtering is the use of a program or hardware to screen and exclude from access or availability Web pages or e-mail that is deemed objectionable.
The purpose of Internet content filtering is to provide best effort to protect students, teachers, and school employees from objectionable material.
This procedure is directed to the IT Management Staff who is accountable to ensure that Internet content filtering best practices are implemented.
Data can be used to facilitate change and improvement, there is however a need to balance the usefulness of this data with the privacy of who the data is about.
The purpose of protecting data is to provide best effort to ensure that data breaches do not happen and to place into training and procedure steps to protect individuals.
This procedure is directed to the IT Management Staff who is accountable to ensure that Privacy and data protection best practices are implemented. Data privacy within the district shall be in accordance with the district’s Data Governance Plan.
Planned and random security audits are important in order to mitigate risk and evaluate our preparedness for a security incident. WSD contracts with UETN to conduct periodic security penetration tests using the CIS Critical Security Controls on devices and networks.
The purpose of this procedure is to ensure all devices and network are configured according to the WSD security policy. All devices connected to the WSD network are subject to audit at any time. Audits may be conducted to:
WSD hereby provides its consent to allow the UETN security audit team or an external auditor to access its devices to the extent necessary, within a predetermined scope; which will be written and approved by the UETN team to allow the auditor to perform scheduled and random audits of any/all devices at WSD.
○ Host security agents such as antivirus and malware protection shall be installed and updated
○ Perform network scans to verify only required network ports and network shares are in use
○ Verify administrative group membership
○ Conduct baselines when systems are deployed and upon significant system changes
○ Changes to configuration template shall be coordinated with WSD network administrator
○ Must follow all other applicable procedures for deployed new devices
The UETN Team or an external auditor shall conduct audits of all devices owned or operated by WSD. Device owners are encouraged to audit their own devices as needed; this does not allow a device owner to perform an audit of the WSD network or on any device not owned by the employee
5. Relevant Findings
All relevant findings discovered as a result of an audit shall be listed in the UETN report to WSD to ensure prompt resolution and/or appropriate mitigating controls
6. Ownership of Audit Report
All results and findings generated by the UETN team or an external auditor must be provided to appropriate WSD management within one month of project completion. This report will become the property of WSD and be considered confidential
The purpose of this procedure is to establish a culture of security for all WSD employees. An effective clean desk effort, involving the participation and support of all employees, will protect paper documents that contain personally identifiable and other sensitive information.
The primary reasons for a clean desk procedure are:
Appropriate measures must be taken to ensure the confidentiality, integrity and availability of sensitive information, including but not limited to Personally Identifiable Information (PII) or sensitive personal information(SPI).
Appropriate measures include:
Electronic email is used pervasively, and is often the primary communication and awareness method within an organization. Misuse of email, however, can pose many legal, privacy and security risks, thus it is important for users to understand the appropriate use of electronic communications.
The purpose of this email procedure is to ensure the proper use of the WSD email system and make users aware of what WSD deems as acceptable and unacceptable use of its email system. This procedure outlines the minimum requirements for use of email within the WSD network.
Every WSD employee will be required to sign this acceptable use policy.
All employees are responsible for following WSD policy and procedures.
1. INTERNET & INTERNET USE:
WSD has access to the Internet, which is governed and supported by the Utah Education Network.
Use of the electronic information resources in WSD shall be to improve and support the educational process by providing access to global information and improving communication between our districts, employees of WSD, and community members. WSD desires to provide electronic mail service, electronic conferencing, global information resources via the World Wide Web, to employees of WSD at no cost.
2. ACCEPTABLE INTERNET USE
All Internet or computer equipment use shall be consistent with the purposes, goals, and policies of WSD. It is imperative that users of the Internet or computer equipment conduct themselves in a responsible, ethical, moral, and polite manner. All participants must abide by all local, state, and federal laws. The Internet user accepts the responsibility of adhering to high standards of conduct and the terms and conditions set forth in all parts of this policy.
3. IMPERMISSIBLE INTERNET & COMPUTER EQUIPMENT USES
The following uses of the Internet & computer equipment are prohibited:
The use of the Internet and computer equipment within WSD is a privilege. The information produced from Internet access or computer use shall be deemed the property of WSD, this is confidential information to the user unless it is transmitted to others with the user’s permission. Violation of this policy can result in the loss of computer access privileges.
WSD reserves the right to monitor and review any material on any machine at anytime in order for the service center to determine any inappropriate use of network services.
6. DISCLAIMER OF ALL WARRANTIES
WSD makes no warranties of any kind, whether expressed or implied, for the services provided in connection with use of the Internet or any and all computer equipment. Neither WSD nor any supporting Internet services will be responsible for any damages that an computer or Internet user suffers. WSD expressly disclaims any liability in connection with the loss of data resulting from delays, failure to deliver data, mistaken deliveries, viruses, backup device failure, or service interruptions caused by WSD or the Internet provider or by the users error or omissions. Use of any information obtained via the Internet is at the user’s own risk. WSD expressly denies any responsibility for the accuracy or quality of information obtained through any Internet service. All users must consider the source of any information they obtain and evaluate the validity of that information.
WSD will implement security procedures on Internet access to protect against unacceptable use. Employees are responsible for the security of their computer equipment, files and passwords. Employees with access to student records may not use, release, or share these records except as authorized by Federal, State, or Local laws. Employees are responsible for any accounts they may have. Sharing of any usernames or passwords to anyone is not permissible and may result in the loss of account privileges. Employees will be held accountable for any activity under their user account. Any security violations by employees must be reported to Technology Specialist and Director.
8. ENCOUNTER OF CONTROVERSIAL MATERIAL
Internet users may encounter material that is controversial which the user or administrator may consider inappropriate or offensive. WSD has taken precautions to restrict access to inappropriate materials through a filtering and monitoring system. However, it is impossible on a global Internet, to control access to all data which a user may discover. It is the user’s responsibility not to initiate access to such material. Any site or material that is deemed controversial should be reported immediately to the appropriate administrator. WSD expressly disclaims any obligation to discover all violations of inappropriate internet access.
a. Only registered employees of WSD and Board of Directors members qualify for Internet access under this policy.
b. Only the authorized users who have signed the user agreement shall have computer access. Users are ultimately responsible for all activity while using the Internet and all computer equipment.
c. All Internet or computer equipment access by an employee or Board member is automatically terminated upon retirement, resignation, or termination of employment.
d. All student computer use must be supervised. Employees who supervise students with access to computer equipment must be familiar with the district's Student Computer Acceptable Use Policy and be willing to enforce it. Employees must appropriately secure rooms and areas where school computer equipment is housed.
10. PENALTIES FOR IMPROPER USE
Any violation of this policy or applicable state and federal laws may result in disciplinary action (including the possibility of termination) and/or referral to legal authorities. The Technology Specialist may limit, suspend, or revoke access to electronic resources at any time.
WSD INTERNET USER AGREEMENT
I understand and will abide by the WSD Employee Computer Acceptable Use Policy. I further understand that any violations of the above Computer Acceptable Use Policy, when using WSD electronic information resources, may result in the loss of my access privileges and/or other disciplinary or legal action. This action may include, but not limited to, suspension, probation, or termination of employment. I, therefore, agree to maintain professional standards and to report any misuse of the electronic information resources to the Technology Specialist or Director.
Employee Name (Please Print)
Employee Signature and Date
Wayne School District (referred to as the LEA throughout) takes its responsibility toward student data seriously. This governance plan incorporates the following Generally Accepted Information Principles (GAIP):
The LEA recognizes that there is risk and liability in maintaining student data and other education-related data and will incorporate reasonable data industry best practices to mitigate this risk.
In accordance with R277-487, the LEA shall do the following:
The LEA acknowledges the need to identify parties who are ultimately responsible and accountable for data and content assets. These individuals and their responsibilities are as follows:
The LEA recognizes that training and supporting educators and staff regarding federal and state data privacy laws is a necessary control to ensure legal compliance.
In accordance with the risk management priorities of the LEA, the LEA will conduct an audit of:
There is a risk of redisclosure whenever student data are shared. The LEA shall follow appropriate controls to mitigate the risk of redisclosure and to ensure compliance with federal and state law.
The LEA recognizes the risk associated with data following a student year after year that could be used to mistreat the student. The LEA shall review all requests for records expungement from parents and make a determination based on the following procedure.
The following records may not be expunged: grades, transcripts, a record of the student’s enrollment, assessment information.
The procedure for expungement shall match the record amendment procedure found in 34 CFR 99, Subpart C of FERPA.
The LEA shall follow industry best practices to protect information and data. In the event of a data breach or inadvertent disclosure of personally identifiable information, the LEA staff shall follow industry best practices for responding to the breach.
The LEA recognizes the importance of transparency and will post this policy on the LEA website.