Embedded Files
Data loss or corruption resulting from security attacks can be catastrophic to individuals, schools, or the entire school system. Security attacks can also result in interruption of network services thereby negatively impacting students and staff.
With the increased use of technology and networked applications, the Pamlico County Board of Education believes it is vital that all users understand the role they play in protecting the integrity and performance of the network, as well as, the confidentiality of information.
The Technology Department will implement and utilize a variety of security measures to do the following: 1) protect the school system’s network and computers from a security breach, abuse and inappropriate use; and 2) safeguard confidential data.
1.A. Definitions
The following definitions apply to this policy:
A.Firewall
A firewall is used to control who and what enters the network by using rules and filters. It also is used as an effective monitoring tool.
I.Proxy Server
The proxy server allows Network Address Translation to be used and removes the workstation’s identity on the Internet thereby removing the vulnerability for attack. The proxy server is also useful for identifying intrusion attempts and Internet misuse.
I.Network Address Translation
This is a method of translating a single public IP address to internal private IP addresses which allows individual obscurity to the Internet.
I.Access Control
By way of network rights or permissions to server locations, individual users have access only to the information or data that is relevant to the work they are permitted to do.
A.Intrusion Detection System
An intrusion detection is software used to detect and alert abnormal port, protocol or network traffic activity.
I.B. Technology Department Responsibilities
The Technology Department, partnered with North Carolina’s Office of Information Technology Services (ITS), will
monitor the network to insure the appropriate privacy to users and sensitive information.
notify the appropriate contacts when an identified security problem or a potential security problem is identified in order to resolve the associated problems. Temporary isolation of systems or devices from the network may be necessary to resolve these problems.
install and maintain virus protection software on all computer equipment.
stay updated on vulnerability notices, patches and updates.
carry out automatic network-based vulnerability updates, patches, compromise assessments, and compliance scans.
submit network summary reports to the technology director.
prepare recommendations for additions or upgrades for network equipment or utilities to help the Technology Department remain effective in their efforts to keep the Pamlico County Schools network and electronic information secure.
maintain user accounts and workstations.
maintain user access control so information will not be accessible to unauthorized users.
force all authorized users to log onto the network and authenticate in order to have access to the network and resources.
require that employee network passwords be changed on a to-be-determined basis to maintain security.
provide a guest account for mobile users that will allow Internet connectivity but not threaten the existing network.
prohibit the connection to the system’s network of any equipment or devices that are not the property of Pamlico County Schools without explicit permission of the network administrator or technology director.
prohibit the unauthorized installation of software on any school system owned equipment.
assume no responsibility for the maintenance or repair of an employee’s personal equipment
use a problem-reporting database to report all technical support requests or notifications. Problem reporting will be done by a member of Technology Services (building level support). Problems will be addressed based upon the impact of the problem. Most urgent problems will be addressed first or in order of being reported.
evaluate all procedures and policies annually.
revise policies and procedures as needed.
A layered approach will be used to provide security for the school system’s network. Network security will be accomplished by use of: Firewalls, Proxy Server, Network
Address Translation, Intrusion Detection Systems, 24 x 7 monitoring (ITS), and access control and monitoring.
Internet bandwidth management hardware and utilities will be used to prioritize as well as monitor Internet traffic and network access. Internal network traffic will be monitored using software applications.
Workstation security will be elevated with the use of a restore or “rollback” program which puts the computer back in the exact condition it was in when it was started thereby removing any changes made by viruses, spyware, or user mistakes.
Technology Services personnel will subscribe to security alert advisories to receive notices daily of software and hardware vulnerabilities. Advisories that have impact to Pamlico County Schools will be reviewed and appropriate action will be taken.
1.C. User Rights and Responsibilities
All employees and students who use the school system’s network and computer equipment are subject to all procedures and guidelines stated in Board Policies related to student and staff acceptable use. Failure to comply with these policies can result in suspension of rights to use the network and computer equipment, and other disciplinary actions. Guest users are subject to this policy and the guidelines as stated in acceptable use policies.
Users should understand that data stored, sent or received by them within the school system’s computers or networks may be monitored to either insure the security and optimal operating performance of the network, to enforce system policies, or to provide compliance with state or federal law.
It is the responsibility of all users to backup their data files to the server. Failure to do so may result in lost data.
A firewall exists between the school system’s private network and the Internet in order to protect the network. Employees, students, and guests must not circumvent the firewall. Some protocols may be blocked or redirected for security purposes.
Internet use is monitored and is provided for educational purposes. Users who violate this policy are subject to disciplinary or legal action.
1.D. Web Applications
Electronic systems and software applications may be remotely accessible from any source capable of Internet access. Users of such systems should take every precaution to prevent compromising confidential data. Such precautions include security of the actual device used for access. Devices used to access the systems should have the latest anti-virus software and definition files installed along with controls for adware and spyware in place. The user must meet user id and password requirements.
Employees should not transfer confidential data electronically over the Internet without using appropriate encryption technologies. Appropriate encryption technologies shall be specified by Technical Services.
2.E. Reporting of Information Technology Security Incidents
Security incidents determined by school administrators or program directors to be serious enough to compromise the integrity of the network or data shall be reported immediately to Technical Services. Appropriate action will be taken to eliminate any determined weakness in the security system. High-level security breaches shall be reported to the Office of the Superintendent.
(a) F. Disaster Recovery of Data and Hardware
The business functions of the school system, which include administration, instruction, and operations, are heavily dependent upon computer resources. The following procedures are followed to minimize any possible disaster.
As part of the ITS service contract, ITS will continuously monitor the server hardware remotely. In the event of failed hardware components, ITS will ship replacement hardware to the agency site within 24 hours of failure notification, except in cases of a large-scale disaster. For this purpose, large-scale disasters are defined as any event or action that causes more than two sites across North Carolina to fail at nearly the same time. During a large-scale disaster, the 24-hour hardware replacement commitment does not apply. Instead, ITS will make its best effort to recover each site in accordance with the agency disaster recovery plan. In addition to shipping replacement hardware, ITS will, if required, send network technicians to the site to repair and restore service in a timely manner. These repairs may include installation of any replacement hardware and restoration of agency files from backup tapes.
Servers that are not ITS managed servers will be monitored and checked daily by Technology Department personnel. If hardware failures are beyond the expertise of the school system's Technology Department, ITS will be contacted and the best action plan will be determined.
Backups of all data files will be performed daily and stored in a separate facility. These data files include, but are not limited to, financial and personnel data, student data (TIMS/ILS), and GroupWise data. These data files would provide the means of recovering critical student and personnel data.
All school employees will be encouraged to save critical files to their local hard drives and to their home directories on the school system's server. User failure to backup critical files will not be the responsibility of the Technology Department and may result in loss of files.
Students will be provided at least 10MB of hard drive space on the server for personal files. These files will be backed up daily.
Faculty and staff will be provided at least 25 MB of hard drive server space. These files will be backed up daily.
Backup logs will be maintained by individuals responsible for system backups.
Legal Reference: G.S. 115C-47, 391
Cross Reference: Internet Access (Policy 5450), Appropriate Internet Use (Policy 5451), Student Internet Use (Policy 5452), Internet Use – Instructional Staff Responsibility (Policy 5453).
Adopted: June 5, 2006
Report abuse