­Technology Security Policy Procedure 

Approved: 5/10/17

Philosophy

South Sanpete School District (SSSD) supports secure network systems, including security for all personally identifiable information that is stored on paper or stored digitally on SSSD-maintained computers and networks. This policy/procedure supports efforts to mitigate threats that may cause harm to the districts, students, or employees in the SSSD District.

SSSD will ensure reasonable efforts will be made to maintain network security. Data loss can be caused by human error, hardware malfunction, natural disaster, security breach, etc., and may not be preventable.

All persons who are granted access to the SSSD network and other technology resources are expected to be careful and aware of suspicious communications and unauthorized use of devices on the network. When an employee or other user becomes aware of suspicious activity, he/she is to immediately contact the network administrator with the relevant information.

This policy and procedure also covers third party vendors/contractors that contain or have access to SSSD critically sensitive data. All third party entities will be required to sign the Restriction on Use of Confidential Information Agreement before accessing our systems or receiving information.

It is the policy of SSSD to fully conform with all federal and state privacy and data governance laws.  Including the Family Educational Rights and privacy Act, 20  U.S. Code §1232g and 34 CFR Part 99 (hereinafter “FERPA”), the Government Records and Management Act  U.C.A. §62G-2 (hereinafter “GRAMA”), U.C.A. §53A-1-1401 et seq. and Utah Administrative Code R277-487.

The board directs the SSSD Director to develop procedures to support this policy. Professional development for staff regarding the importance of network security and best practices is to be included in the procedures. The procedures associated with this policy are consistent with guidelines provided by cyber security professionals worldwide and in accordance with Utah Education Network. The board supports the development, implementation and ongoing improvements for a robust security system of hardware and software that is designed to protect data, users, and electronic assets.

Definitions—

  1. Access – Directly or indirectly use, attempt to use, instruct, communicate with, cause input to, cause output from, or otherwise make use of any resources of a computer, computer system, computer network, or any means of communication with any of them.
  2. Authorization – Having the express or implied consent or permission of the owner, or of the person authorized by the owner to give consent or permission to access a computer, computer system, or computer network in a manner not exceeding the consent or permission.
  3. Computer –Any electronic device or communication facility that stores, retrieves, processes, or transmits data.
  4. Computer system – A set of related, connected or unconnected, devices, software, or other related computer equipment.
  5. Computer network – The interconnection of communication or telecommunication lines between: computers; or computers and remote terminals; or the interconnection by wireless technology between: computers; or computers and remote terminals.
  6. Computer property – Includes electronic impulses, electronically produced data, information, financial instruments, software, or programs, in either machine or human readable form, any other tangible or intangible item relating to a computer, computer system, computer network, and copies of any of them.
  7. Confidential – Data, text, or computer property that is protected by a security system that clearly evidences that the owner or custodian intends that it not be available to others without the owner's or custodian's permission.
  8. Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.
  9. Personally Identifiable Information (PII) – Any data that could potentially identify a specific
  10. Security system – A computer, computer system, network, or computer property that has some form of access control technology implemented, such as encryption, password protection, other forced authentication, or access control designed to keep out unauthorized persons.
  11. Sensitive data – Data that contains personally identifiable information.
  12. System level – Access to the system that is considered full administrative access.  Includes
Security Responsibility

SSSD shall appoint, in writing, an Security Information Officer (SIO) responsible for overseeing SSSD office-wide IT security, to include development of policies and adherence to the standards defined in this document.

Employee Security Awareness Training
  1. Overview: SSSD, led by the SIO, shall ensure that all employees having access to sensitive information undergo annual IT security training which emphasizes their personal responsibility for protecting student and employee information. - Training resources will be provided to all employees.
  2. Purpose: These methods help ensure employees have a solid understanding of our security policy, procedures, and best practices. Employees shall also have a basic understanding of the following security related topics: social engineering tactics, email and messaging security, safely browsing the internet, social networking threats, mobile device security, password best practices, data classification, data transmission and encryption, data destruction, WiFi security, working remotely, insider threats from students and staff, physical security issues, protecting personal/work computers, copyright infringements, malware and virus protection, sharing files with local and state entities, and workspace security.
  3. Procedure:All SSSD employees shall receive security specific trainings annually.
Security for Workstations
  1. Overview: The workstations at SSSD contain sensitive information and data. SSSD SIO will implement procedures to ensure that this information will be secure.
  2. Purpose:SSSD shall ensure that any user’s computer must not be left unattended and unlocked, especially when logged into sensitive systems or data including student or employee information. Automatic log off, locks and password screen savers should be used to enforce this requirement.
  3. Procedure:Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information; including personally identifiable information (PII) and that access to sensitive information is restricted to authorized users.
  • SSSD employees using controlled workstations shall consider the sensitivity of the information, including personally identifiable information (PII) that may be accessed and minimize the possibility of unauthorized access.
  • SSSD will implement physical and technical safeguards for all workstations that access electronic personally identifiable information (PII) to restrict access to authorized users.
  • Appropriate measures include:
    • Restricting physical access to workstations to only authorized personnel.
    • Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
    • Enabling a password protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected. The password must comply with SSSD Password Procedure.
    • Complying with all applicable password policies and procedures. See SSSD Password Procedure.
    • Ensuring controlled workstations are used for authorized business purposes only.  Never installing unauthorized software on controlled workstations.
    • Storing all sensitive information, including personally identifiable information (PII)
    • Securing laptops that contain sensitive information by locking laptops up in drawers, cabinets or in a classroom/office.
    • Enable Workstation Encryption
    • Users are not set up as computer administrators
Network Security
  1. Overview: Network security entails protecting the usability, reliability, integrity, and safety of network and data. Effective network security defeats a variety of threats from entering or spreading on a network. The primary goals of network security are Confidentiality, Integrity, and Availability.
  2. Purpose:The minimal security configuration required for all routers and switches connecting to a production network or used in a production capacity at or on behalf of SSSD.SSSD shall ensure that all untrusted and public access computer networks are separated from main computer networks and utilize security policies to ensure the integrity of those computer networks. SSSD will utilize industry standards and current best practices to segment internal computer networks based on the data they contain. This will be done to prevent unauthorized users from accessing services unrelated to their job duties and minimize potential damage from other compromised systems.
  3. Procedure:Network perimeter controls will be implemented to regulate traffic moving between trusted internal (SSSD) resources and external, untrusted (Internet) entities. All network transmission of sensitive data should enforce encryption where technologically feasible.
Wireless Network Security
  1. Overview: Network security entails protecting the usability, reliability, integrity, and safety of network and data. Effective network security defeats a variety of threats from entering or spreading on a network. The primary goals of network security are Confidentiality, Integrity, and Availability.
  2. Purpose:No wireless access point shall be installed on SSSD computer network that does not conform to current network standards as defined by the Network Manager.  SSSD shall scan for and remove or disable any rogue wireless devices on a regular basis. All wireless access networks shall conform to current best practices and shall utilize at minimal WPA2 encryption for any connections.  Open access networks are not permitted with the exception of a guest network managed with a captive portal.
  3. Procedure:Wireless Network controls will be implemented to regulate traffic moving between trusted internal (SSSD) resources and external, untrusted (Internet) entities. All network transmission of sensitive data should enforce encryption where technologically feasible.
Remote Access Procedure
  1. Overview:Remote access allows a user to connect from outside the SSSD organization network. This procedure applies to all SSSD employees, contractors, vendors and agents with a SSSD owned or personally owned computer or workstation used to connect to the SSSD network. This procedure applies to remote access connections used to do work on behalf of SSSD
  2. Purpose:The purpose of this procedure is to define standards for connecting to SSSD network from any host. These standards are designed to minimize the potential exposure to SSSD from damages, which may result from unauthorized use of SSSD resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical SSSD internal systems, etc.  Remote access implementations that are covered by this procedure include, but are not limited to DSL, VPN, and SSH.
  3. Procedure:It is the responsibility of SSSD employees, contractors, vendors and agents with remote access privileges to SSSD network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to SSSD.

Please review the following procedures to ensure protection of information when accessing the SSSD network via remote access methods, and acceptable use of SSSD network:

  • Encryption Procedures
  • Wireless Infrastructure Communications Procedure
  • Acceptable Use Procedure 
Requirements
  • Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong pass phrases. For information on creating a strong pass phrase see the Password Procedures.
  • At no time should any SSSD employee provide his or her login or email password to anyone, not even family members.
  • SSSD employees with remote access privileges must ensure that their SSSD owned or personal computer or workstation, which is remotely connected to SSSD network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.
  • The SSSD director must approve non-standard hardware configurations. Security configurations for access to hardware must also be approved.
  • All hosts that are connected to SSSD internal networks via remote access technologies, must use the most up-to-date anti-virus software, this includes personal computers.
  • Personal equipment that is used to connect to SSSD networks must meet the requirements of SSSD owned equipment for remote access.
  • Organizations or individuals who wish to implement non-standard Remote Access solutions to the SSSD production network must obtain prior approval from SSSD director.
Password Procedure
  1. Overview: Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or the entire network. This guideline provides best practices for creating secure passwords.
  2. Purpose:The purpose of this procedure is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.  This procedure applies to all personnel and entities working on behalf of SSSD, who have or are responsible for any account (or any form of access that supports or requires a password) on any system that resides at or is connected to SSSD.
  3. Procedure:To minimize the possibility of unauthorized access, all passwords should meet or exceed the guidelines for creating strong passwords.
Password Characteristics
  1. Strong passwords
  • Contain at least 12 alphanumeric characters
  • Contain both upper and lower case letters
  • Contain at least one number (for example, 0-9)
  • Contain at least one special character (for example,!$%^&*()_+|~-=\`{}[]:”;'<>?,/)
  1. Protection of passwords
  • Users must not use the same password for SSSD accounts as for other non-SSSD access (for example, personal email accounts, shopping sites, social media, and so on
  • Where possible, users must not use the same password for various SSSD access needs or user accounts that have system-level privileges granted through group memberships or programs such as FileMaker must have a unique password from all other accounts held by that user to access system-level privileges; unless account has 2-factor authentication enabled
  • All system-level passwords (for example, root, enable, NT admin, application administration accounts, and so on) must be changed on at least a quarterly basis
  • All user-level passwords (for example, email, web, desktop computer, and so on) must be changed at least annually.
  • Password cracking or guessing may be performed on a periodic or random basis by the UETN team or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it
  • Default passwords must be changed during initial setup and configuration
  • Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential information
  • Passwords must not be inserted along with the username into email messages or other forms of electronic communication
  • Do not reveal a password on questionnaires or security forms
  • Do not share your SSSD passwords with anyone, including administrative assistants, secretaries, managers, co-workers while on vacation, and family members
  • Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption
  • Never use the “Remember Password” feature of applications (for example, web browsers)
  • Any user suspecting that his/her password may have been compromised must report the incident to their supervisor and change all passwords immediately

Access Control

  1. Overview:Access control is the process of authorizing users, groups, and computers to access objects on the network or computer. It is a good practice to assign permissions to groups because it improves system performance when verifying access to an object.
  2. Purpose:The purpose for setting access control in the SSSD organization  provides system and application access based upon the least amount of access to data and programs required by the user in accordance with a business need-to-have requirement.
  3. Procedure: This procedure is directed to the IT Management Staff who is accountable to ensure proper access is given to individual employees.
  • SSSD shall ensure that user access shall be limited to only those specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.
  • SSSD shall ensure that user access should be granted and/or terminated upon timely receipt, and management’s approval, of a documented access request/termination.
  • SSSD shall ensure that audit and log files are maintained for at least ninety days for all critical security-relevant events such as: invalid logon attempts, changes to the security policy/ configuration, and failed attempts to access objects by unauthorized users, etc.
  • SSSD shall limit IT administrator privileges (operating system, database, and applications) to the minimum number of staff required to perform these sensitive duties.
Security Response Plan Procedure
  1. Overview:A Security Response Plan (SRP) provides the impetus for security and operational groups to integrate their efforts from the perspective of awareness and communication, as well as coordinated response in times of crisis (security vulnerability identified or exploited). Specifically, an SRP defines a product description, contact information, escalation paths, expected service level agreements (SLA), severity and impact classification, and mitigation/remediation timelines.
  2. Purpose:The purpose of this procedure is to establish the requirement that all operational groups supported develop and maintain a security response plan. This ensures that the security incident response team has all the necessary information to formulate a successful response should a specific security incident occur. This procedure applies any established and defined operational group or entity within the SSSD.
  3. Procedure:The development, implementation, and execution of a Security Response Plan (SRP) are the primary responsibility of the SSSD director and network administrator. 
Service or Product Description

The product description in an SRP must clearly define the service or application to be deployed with additional attention to data flows, logical diagrams, architecture considered highly useful.

Contact Information

The SRP must include contact information for dedicated team members to be available during non-business hours should an incident occur and escalation be required. This may be a 24/7 requirement depending on the defined business value of the service or product, coupled with the impact to customer. The SRP document must include all phone numbers and email addresses for the dedicated team member(s).

Triage

The SRP must define triage steps to be implemented with the intended goal of swift security vulnerability mitigation. This step typically includes validating the reported vulnerability or compromise.

Identified Mitigations and Testing

The SRP must include a defined process for identifying and testing mitigations prior to deployment. These details should include both short-term mitigations as well as the remediation process.

Mitigation and Remediation Timelines

The SRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact.

Disaster Recovery Plan Procedure
  1. Overview:Since disasters happen so rarely, management often ignores the disaster recovery planning process. It is important to realize that having a contingency plan in the event of a disaster gives SSSD an advantage. This procedure requires management to financially support and diligently attend to disaster contingency planning efforts. Disasters include, but are not limited to adverse weather conditions. Any event that could likely cause an extended delay of service should be considered.
  2. Purpose:This procedure defines the requirement for a baseline disaster recovery plan to be developed and implemented by SSSD that will describe the process to recover IT Systems, Applications and Data from any type of disaster that causes a major outage.
  3. Procedure:This procedure is directed to the IT Management Staff who is accountable to ensure the plan is developed, tested and kept up to date. This procedure is solely to state the requirement to have a disaster recovery plan, it does not provide requirement around what goes into the plan or sub plans. The SSSD director and IT director will develop the following contingency plans.

 

The following contingency plans must be created:

  • Data Study: Detail the data stored on the systems, its criticality, and its confidentiality.
  • Data Backup: Procedures for performing routine daily/weekly/monthly backups and storing backup media at a secured location other than the server room or adjacent facilities. As a minimum, backup media must be stored off-site a reasonably safe distance from the primary server room.
  • Restoration Plan: Describes how the backups are restored.
  • Equipment Replacement Plan: Describe what equipment is required for providing services
  • Critical Systems Instructions: Documentation must include:
    • Location of installation software
    • Backup frequency and storage locations
    • Username and passwords
    • Support phone numbers
    • Steps to restart, reconfigure, and recover the system
    • Power up and power down procedures
    • Equipment age
    • Model and serial numbers
    • Warranty and maintenance contract information
    • Software licensing information and storage location
    • IP and MAC addresses
    • Supplier contacts for sources of expertise to recover systems. These might include vendors that sell/support the products, or the manufacturers themselves
    • Website username and password
    • Server username and password
    • Assigned computer username and password
Malicious Software Procedure
  1. Overview:Malicious Software is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. It may be stealthy, intended to steal information or spy on computer users for an extended period without their knowledge.
  2. Purpose:The purpose of the procedure is to ensure that malicious software protection will include frequent update downloads (minimum weekly), frequent scanning (minimum weekly), and that malicious software protection is in active state (real time) on all operating servers/workstations.
  3. Procedure: This procedure is directed to the IT Management Staff who is accountable to ensure the security of district networks and data.
  • Server and workstation protection software will be deployed to identify and eradicate malicious software attacks such as viruses, spyware, and malware.
  • SSSD shall install, distribute, and maintain spyware and virus protection software on all SSSD-owned equipment, i.e. servers, workstations, and laptops. 
  • SSSD shall ensure that all security-relevant software patches (workstations and servers) are applied within thirty days and critical patches shall be applied as soon as possible.
  • All computers must use the District approved anti-virus solution.
  • Any exceptions to malicious software procedure must be approved by the Security Information Officer.
Internet Content Filtering Procedure
  1. Overview:Internet content filtering is the use of a program or hardware to screen and exclude from access or availability Web pages or e-mail that is deemed objectionable.
  2. Purpose:The purpose of Internet content filtering is to provide best effort to protect students, teachers, and school employees from objectionable material.
  3. Procedure: This procedure is directed to the IT Management Staff who is accountable to ensure that Internet content filtering best practices are implemented.
  • In accordance with Federal and State Law, SSSD shall filter internet traffic for content defined in law that is deemed harmful to minors.
  • SSSD acknowledges that technology based filters are not always effective at eliminating harmful content and due to this, SSSD uses a combination of technological means and supervisory means to protect students from harmful online content.
  • In the event that employees take devices home, SSSD will provide a technology based filtering solution for those devices.  However, the District will rely on parents to provide the supervision necessary to fully protect students from accessing harmful online content. Data Privacy Procedure

Data Privacy Procedure

  1. Overview:Data can be used to facilitate change and improvement, there is however a need to balance the usefulness of this data with the privacy of who the data is about.
  2. Purpose:The purpose of protecting data is to provide best effort to ensure that data breaches do not happen and to place into training and procedure steps to protect individuals.
  3. Procedures: This procedure is directed to the IT Management Staff who is accountable to ensure that Privacy and data protection best practices are implemented.
  • SSSD considers the protection of the data it collects on students, employees and their families to be of the utmost importance.
  • SSSD protects student data in compliance with the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 ( “FERPA”), the Government Records and Management Act  U.C.A. §62G-2 ( “GRAMA”), U.C.A. §53A-1-1401 et seq, 15 U.S. Code §§ 6501–6506 (“COPPA”) and Utah Administrative Code R277-487 (“Student Data Protection Act”).
  • SSSD shall ensure that employee records access shall be limited to only those individuals who have specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.
Audit Procedures
  1. Overview:Planned and random security audits are important in order to mitigate risk and evaluate our preparedness for a security incident. SSSD contracts with UETN to conduct periodic security penetration tests using the CIS Critical Security Controls on devices and networks.
  2. Purpose:The purpose of this procedure is to ensure all devices and network are configured according to the SSSD security policy. All devices connected to the SSSD network are subject to audit at any time. Audits may be conducted to:
  • Ensure integrity, confidentiality and availability of information and resources
  • Ensure conformance to the SSSD security policy
  1. Procedure:SSSD hereby provides its consent to allow the UETN security audit team or an external auditor to access its devices to the extent necessary, within a predetermined scope; which will be written and approved by the UETN team to allow the auditor to perform scheduled and random audits of any/all devices at SSSD.
  • Specific Concerns
    SSSD devices may support critical business functions and store sensitive information. Improper configuration of devices could lead to the loss of confidentiality, availability or integrity of these systems
  • Guidelines
    Approved and standard configuration templates shall be used when deploying devices:
    • Host security agents such as antivirus and malware protection shall be installed and updated
    • Perform network scans to verify only required network ports and network shares are in use
    • Verify administrative group membership
    • Conduct baselines when systems are deployed and upon significant system changes
    • Changes to configuration template shall be coordinated with SSSD network administrator
    • Must follow all other applicable procedures for deployed new devices
  1. Responsibility:The UETN Team or an external auditor shall conduct audits of all devices owned or operated by SSSD. Device owners are encouraged to audit their own devices as needed; this does not allow a device owner to perform an audit of the SSSD network or on any device not owned by the employee
  2. Relevant Findings:All relevant findings discovered as a result of an audit shall be listed in the UETN report to SSSD to ensure prompt resolution and/or appropriate mitigating controls
  3. Ownership of Audit Report:All results and findings generated by the UETN team or an external auditor must be provided to appropriate SSSD management within one month of project completion. This report will become the property of SSSD and be considered confidential
Clean Desk Procedure
  1. Overview:The purpose of this procedure is to establish a culture of security for all SSSD employees. An effective clean desk effort, involving the participation and support of all employees, will protect paper documents that contain personally identifiable and other sensitive information.
  2. Purpose:The primary reasons for a clean desk procedure are:
  • A clean desk reduces the threat of a security incident since confidential information will be locked away when unattended.
  • Sensitive documents left in the open can be viewed and/or stolen by a malicious entity.
  1. Procedure: Appropriate measures must be taken to ensure the confidentiality, integrity and availability of sensitive information, including but not limited to Personally Identifiable Information (PII).

Appropriate measures include:

  • Restricting physical access to devices.
  • Ensuring that all sensitive/confidential information in hardcopy or electronic form is secure in the work area at the end of each day.
  • Securing workstations (screen lock or logout) prior to leaving an area to prevent unauthorized access.
  • Enabling a password-­‐protected screen saver with a short timeout period to ensure that devices left unsecured will be protected.
  • Complying with all applicable password policies and procedures. See SSSD Password Procedure.
  • Ensuring devices are used for authorized educational/business purposes only.
  • Never sending personally identifiable information (PII) or sensitive personal information(SPI) via email to anyone, including forwarding a message.
  • Storing all sensitive information on password-­‐protected drives or secure, restricted, network servers.
  • Securing laptops that contain sensitive information by using cable locks, locking laptops up in drawers or cabinets, and/or by locking the door behind you.
  • Sensitive working papers should be placed in locked drawers whenever a user is away from their desk.
  • At the end of the work-­‐day the employee is expected to tidy their desk by locking up all sensitive papers and devices.
Email Procedure
  1. Overview:Electronic email is used pervasively, and is often the primary communication and awareness method within an organization. Misuse of email, however, can pose many legal, privacy and security risks, thus it is important for users to understand the appropriate use of electronic communications.
  2. Purpose:The purpose of this email procedure is to ensure the proper use of the SSSD email system and make users aware of what SSSD deems as acceptable and unacceptable use of its email system. This procedure outlines the minimum requirements for use of email within the SSSD network.
  3. Procedure:
  • All use of email must be consistent with SSSD policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices
  • SSSD email account should be used primarily for SSSD business related purposes; personal communication is permitted on a limited basis, but non-­‐SSSD related commercial uses are prohibited
  • The SSSD email system shall not to be used for the creation or distribution of any disruptive or offensive messages; including offensive comments about race, gender, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any SSSD employee should report the matter to their supervisor immediately
  • Users are prohibited from automatically forwarding SSSD email to a third party email system. Individual messages which are forwarded by the user must not contain SSSD confidential or above information
  • Using a reasonable amount of SSSD resources for personal emails is acceptable. Sending chain letters or inappropriate joke emails from a SSSD email account is prohibited
  • SSSD employees shall have no expectation of privacy in anything they store, send or receive
  • SSSD may monitor messages without prior notice. SSSD is not obligated to monitor email messages

pdfECD-SP_Technology_Security_Policy_Procedure.pdf

Print Email