Purpose
It is the District’s policy to the extent possible to ensure that data and information in all its forms, written, electronic or printed is protected from accidental or intentional unauthorized modification, destruction or disclosure. The protection includes an appropriate level of security over the equipment, software and practices used to process, store and transmit data or information.
Data Security Administrator and Data Governance Committee
The District’s superintendent will designate a District employee to serve as the data security administrator. The data security administrator will be responsible for overseeing the implementation of the District’s security policies and procedures. The data security administrator will also select District employees to serve on the District’s Data Governance Committee. This committee will be responsible for an annual review of all data governance policies and procedures.
Further, the data security administrator and the Data Governance Committee will assist the District administration in implementing a comprehensive annual training program on the District’s data policies.
Regulatory Compliance
The District will comply with applicable law, regulations or contractual obligations which affects its data systems including, but not limited to:
Risk Analysis
Annually, and as requested by the Superintendent, a thorough risk analysis of the District’s data networks, systems, policies and procedures will be conducted. The risk assessment will be used as a basis for a plan to minimize identified risks.
Data Classification
Data is classified according to the most sensitive detail which they include. The classification assigned and the related controls applied are dependent on the sensitivity of the data.
Systems and Information Control
Any computer, laptop, model device, preliminary and/or screening device, network, appliance/equipment, AV equipment, server, internal or external storage, communication device or any other current or future electronic device may be referred to as “systems.” All involved systems and information are assets of the District and shall be protected from misuse, unauthorized manipulation and destruction. These protection measures may be physical and/or software based.
Ownership of Software
All computer software developed by the District employees or contract personnel on behalf of the District, licensed or purchased for the District’s use is the property of the District and shall not be copied for use at home or any other location, unless otherwise specified by the license agreement.
Software Installation and Use
All software packages that reside on technological systems within or used by the District shall comply with applicable licensing agreements and restrictions and shall comply with the District’s acquisition of software procedures.
Virus, Malware, Spyware, Phishing and SPAM Protection
Virus checking systems approved by the District Technology Department are deployed using a multi-layered approach (computers, servers, gateways, firewalls, filters, etc.) that ensures all electronic files are appropriately scanned for viruses, malware, spyware, phishing and SPAM. Users shall not turn off or disable the District’s protection systems or to install other systems.
Access Controls
Physical and electronic access to information systems that contain personally identifiable information (PII), confidential information, internal information and computing resources shall be controlled. To ensure appropriate levels of access by District employees, a variety of security measures are instituted as recommended by the Data Governance Committee and approved by the District. In particular, the Data Governance Committee shall document roles and rights to the student information system and other like systems. Mechanisms to control access to PII, confidential information, internal information and computing resources include, but are not limited to, the following methods:
Data Transfer/Exchange/Printing
Electronic Mass Data Transfers: Downloading, uploading or transferring PII, confidential information, and internal information between systems shall be strictly controlled. Requests for mass download of, or individual requests for, information for research or any other purposes that include PII shall be in accordance with this policy and be approved by the Data Governance Committee. All other mass downloads of information shall be approved by the Committee and/or data security administrator and include only the minimum amount of information necessary to fulfill the request. At the very least, a Memorandum of Agreement (MOA) shall be in place when transferring PII to third party entities such as software or application vendors, textbook companies, testing companies, or any other web based application, etc. unless the exception is approved by the Data Governance Committee. Further, the Data Governance Committee is responsible for ensuring that any MOAs or agreements with third party entities in possession of District data comply with the federal regulations identified in this regulation.
Other Electronic Data Transfers and Printing: PII, confidential information, and internal information shall be stored in a manner inaccessible to unauthorized individuals. PII and confidential information shall not be downloaded, copied or printed indiscriminately or left unattended and open to compromise. PII that is downloaded for educational purposes where possible shall be de-identified before use.
Oral Communications: The District’s staff shall be aware of their surroundings when discussing PII and confidential information. This includes but is not limited to the use of cellular telephones in public areas. The District’s staff shall not discuss PII or confidential information in public areas if the information can be overheard. Caution shall be used when conducting conversations in: semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.
Audit Controls: Hardware, software, services and/or procedural mechanisms that record and examine activity in information systems that contain or use PII are reviewed by the Data Governance Committee annually. Further, the committee also regularly reviews records of information system activity, such as audit logs, access reports, and security incident tracking reports. These reviews shall be documented and maintained for six (6) years.
Evaluation: The District will require that periodic technical and non-technical evaluations of access controls, storage, and other systems be performed in response to environmental or operational changes affecting the security of electronic PII to ensure its continued protection.
IT Disaster Recovery: Controls shall ensure the District can recover from any damage to critical systems, data, or information within a reasonable period of time. Each school, department, or individual is required to report any instances immediately to the Superintendent, data security administrator, and/or technology director for response to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages data or systems. The IT disaster plan shall include the following:
Compliance
The data governance policy applies to all users of the District’s information including: employees, staff, students, volunteers, and third party vendors. Failure to comply with this policy by employees, staff, volunteers, and third party vendors may result in disciplinary action up to and including dismissal in accordance with applicable the District’s procedures, or, in the case of third party vendors, termination of the contractual relationship. Failure to comply with this policy by students may constitute grounds for corrective action in accordance with the District’s policies. Further, penalties associated with state and federal laws may apply.
Possible disciplinary/corrective action may be instituted for, but is not limited to, the following: