Security
Security
Securing data is a large part of ensuring student data protection. Student data should be stored following FERPA principles, the processes, policies and best practices note herein. As some of this information is secure to PV Operations, only certain employees have access to it. Should you feel you have a right to know and a need to know, please contact your school administrator or supervisor.
U.S. Department of Education Data Security Checklist
New Federal Law Mandates the Reporting of Cybersecurity Incidents Involving Critical Infrastructure. Strengthening American Cybersecurity Act (SACA)
I. Student Information Applications
(A) Any software system owned or managed by the District which is used to store, process, or analyze student educational records as defined by FERPA shall be subject to strict security measures. These District Systems are:
1) Infinite Campus
2) IEP Pro
3) e-Trition
4) School City
5) Visions
6) Talent Ed
7) School Links
8) Curricular titles (MHE, Pearson,etc)
9) Google
10) Final Site
11) AD, AR, Destiny, O365, ComEd, etc..
(B) Administrators with supervisory responsibilities over District Systems shall determine the appropriate access rights to the data and enforce compliance with these roles and permissions.
Il. District Systems
The Data Governance Committee has implemented the following:
(A) Strong password requirement, migrating to MFA for key roles.
(B) Data Security Agreements for those with District System permissions.
Student Class I data, directory information, and, in some cases Class ll data, may be transferred to an external service provider, such as an online website that teachers wish students to use for educational purposes. Provided that:
The teacher follows the protocols for getting approval for the site to be used.
The District notifies parents about their right to restrict their child's data from being shared with such sites annually via Code of Conduct/AUP.
The transfer of data is handled in a manner approved by the Information Technology Department, or is performed by the Information Technology Department.
No Class lll data, or FERPA protected educational records, will be transferred to an external service provider without prior approval of the Information Technology Department.
Class III Data are;
Behavior
Service/Score (ELL, Title, FRE, SPED, Gifted, Grades, Assessments (federal, state, district, school, classroom))
Attendance Record
(C) No school or department should enter into a contract for the use of any program that requires the import of District data without first consulting and receiving approval from the Data Governance committee.
(D) The Data Governance committee will determine which of the following should be required of the service provider and assist in ensuring these requirements are met prior to any data transfer;
Contract
Designating the service provider as an "Official" as defined in FERPA
Memorandum of Understanding
Memorandum of Agreement
Non-Disclosure Agreement
(E) Non-Disclosure Agreement (NDA) Information
l. Purpose of Data Backup and Retention Procedures
Ensure that procedures for comprehensive data backup are in place and that system data is restorable in the event of data corruption, software or hardware failures, data damage or deletion (either accidental or deliberate), and properly executed requests from the office of the Superintendent, or forensic purposes. (Departments and schools need to work with the Information Technology Department to review, then audit annually their backup processes, both internally and externally, including with vendors.
Provide a documented policy of how long data is retained, and therefore restorable.
Provide documentation of what systems and data are specifically included in, and excluded from, backup and retention.
Establish the groups or individuals responsible for data backup and retention procedures, including the on-site and offsite locations of backup media.
Establish the procedural guidelines used to initiate a data restore, and review/practice to an auditable level, at least annually.
Il. Scope
This Policy applies to all servers, gear, workstations and systems installed and controlled exclusively by the PV Schools Schools Information Technology Department. (Systems Table l - where is this, and do we need this area??) and excludes servers and systems controlled by specific departments within PV Schools (Systems Table ll ??) ln cases where other Departments are responsible for their backup systems, the Information Technology Department will provide technical and professional guidance for backup routines and procedures, as requested.
This Policy applies to all user data in the following manner:
All users with network permissions are trained and urged to store data onto their server workspace, but they are permitted to store files on local machines. individual users may delete their data from either network servers or local machines at will. lf data stored on a server is deleted by the end user and falls outside of the backup period, the System has no method of recovering such files.
Files stored by users on individual hard drives or other individual storage devices are not backed up and may become unrecoverable in the case of hard drive failure or accidental deletion.. Although technicians may be able to locate or recover locally stored files, these files are not part of the data backup or recovery plan.
This Policy does not apply to connected systems which are the property, and therefore the responsibility, of outside entities such as the Arizona State Department of Education.
This Policy includes a special section for the e-mail system, as its backup and retention system is separate from other systems. This policy includes all systems - DG is about operations as well, not just security - think Business Continuity...
Data Classification is performed by the Data Owner in consultation with Data Stewards and the IT Department.
l. Purpose
Implement standards and procedures to effectively manage and provide necessary access to System Data, while at the same time ensuring the confidentiality, integrity and availability of the information. lnsofar as this policy deals with access to PV Schools Schools' computing and network resources, all relevant provisions in the Acceptable Use Policies are applicable.
Provide a structured and consistent process for employees to obtain necessary data access for conducting PV Schools Schools operations.
Define data classification and related workflows and safeguards. Applicable federal and state statutes and regulations that guarantee either protection or accessibility of System records will be used in the classification process.
Provide a list of relevant considerations for System personnel responsible for purchasing or subscribing to software that will utilize and/or expose System Data.
Establish the relevant mechanisms for delegating authority to accommodate this process at the district department and school level while adhering to separation of duties and other best practices.
lI. Scope
These Security Measures apply to information found in or converted to a digital format. (The same information may exist in paper format for which the same local policies, state laws, statutes, and federal laws would apply, but no electronic control measures are needed.)
Security Measures apply to all employees, contract workers, volunteers, and visitors of the PV Schools Schools and all data used to conduct operations of the System.
Security Measures do not address public access to data as specified in the Arizona Open Records, Freedom of Information Act, and any other public access law or regulation. Where laws may conflict, resolution with appropriate departments, schools will occur, including the Superintendent as appropriate.
Security Measures apply to System Data accessed from any location; internal, external, or remote.
Security Measures apply to the transfer of any System Data outside the System for any purpose.
lII. Guiding Principles
Inquiry-type access to official System Data will be as open as possible to individuals who require access in the performance of System operations without violating local Board, legal, Federal, or State restrictions.
The Superintendent and/or his designees shall determine appropriate access permissions based on local policies, applicable laws, best practices, and appropriate laws related to public access.
Data Users granted "create", “delete” and/or "update" privileges are responsible for their actions while using these privileges, That is, all schools or other facilities are responsible for the System Data they create, update, and/or delete.
Any individual granted access to System Data is responsible for the ethical usage of that data Access will be used only in accordance with the authority delegated to the individual to conduct PV Schools operations.
lt is the express responsibility of authorized users to safeguard the data they are entrusted with, ensuring compliance with all aspects of this policy and related procedures.
These Security Measures apply to System data regardless of location. Users who transfer or transport System data "off-campus" for any reason must ensure that they are able to comply with all data security measures prior to transporting or transferring the data.
IV. Access Coordination
Central Office Department heads, supervisors, area specialists, and principals (Authorized Requestors) will assist in classifying data sensitivity levels for their areas of expertise and in identifying which employees require access to which information in order to complete their duties.
The IT Director will designate individuals within the Information Technology Department to implement, monitor, and safeguard access to System Data based on the restrictions and permissions determined by the Authorized Requestors using the technical tools available.
Central Office Department heads, supervisors, area specialists, and principals will be responsible for educating all employees under their supervision of their responsibilities associated with System Data security.
I. Shared Responsibilities
The Information Technology Department shall implement, maintain, and monitor technical access controls and protections for the data stored on the System's network.
System employees, including Authorized Requestors, shall not select or purchase software programs that will utilize or expose Class lll data without first consulting the Information Technology Department to determine whether or not adequate controls are available within the application to protect that data.
The Information Technology Department staff andlor the Authorized Requestor will provide professional development and instructions for Authorized Users on how to properly access data to which they have rights, when necessary. However, ensuring that all employees have these instructions will be the shared responsibility of the supervisor(s) of the Authorized User(s) and the Information Technology Department.
Technical controls and monitoring cannot ensure with 100% certainty that no unauthorized access occurs. For instance, a properly Authorized User leaves their workstation while logged in, and an unauthorized person views the data in their absence. Therefore, it is the shared responsibility of all employees to cooperatively support the effectiveness of the established technical controls through their actions.
II. Authorized Requestors
Authorized Requestors (Section lV. A) are responsible for being knowledgeable in all policies, laws, rules, and best practices relative to the data for which they are granting access; including, but not limited to FERPA, HIPAA, PCI, CIPA, etc.
Authorized Requestors shall be responsible for informing appropriate Information Technology Department personnel about data classifications in order that the Information Technology Department can determine the best physical and/or logical controls available to protect the data. This shall include:
Which data should be classified as Class III.
Where that data resides (which software program(s) and server(s)
Who should have access to that data (Authorized Users).
What level of control the Authorized User should have to that data (e.g., read/write, delete, view, print, etc.).
III. Location of Data and Physical Security
Class lll data may be stored on servers/computers (on or off premise) which are subject to network/workstation controls and permissions. lt shall not be stored on portable media that cannot be subjected to password, encryption, or other protections.
Serving devices (on premise servers) storing sensitive information shall be operated by professional network system administrators, in compliance with all Information Technology Department security and administration standards and policies, and shall remain under the oversight of Information Technology Department supervisors.
Persons who must take data out of the protected network environment (transport data on a laptop, etc.) must have the permission of their supervisor prior to doing so. Permission to do so will be granted only when absolutely necessary, and the person transporting the data will be responsible for the security of that data, including theft or accidental loss.
All servers containing system data and all network devices transporting Class III data will be located in secured areas with limited access. At the school or other local building level, the principal or other location supervisor will ensure limited, appropriate access to these physically secured areas.
District staff who must permanently maintain all printed reports that contain Class ll or lll data shall take responsibility for keeping this material in a secure location - vault, locked file cabinet, etc. ln addition, all printed material containing Class lll documentation shall be shredded when no longer in use, per appropriate department/school protocols, including applicable state and federal laws/regulations.
IV. Disposal of Hardware containing System Data
Prior to disposal of any computer, the user will notify the Information Technology Department, A technician will remove the hard drive from the device and destroy it prior to the device being disposed of or auctioned off.
All schools and departments which purchase or lease copy machines or multi-function printers will be expected to include provisions for the destruction of data on the device's hard drive or the destruction of the hard drive itself prior to disposing of the copier or MFP or its return to the leasing agency.
V. Application of Network and Computer Access Permissions
The Information Technology Department staff shall be responsible for implementing network protection measures that prevent unauthorized intrusions, damage, and access to all storage and transport mediums; including, but not limited to:
Maintaining firewall protection access to the network and/or workstations
Protecting the network from unauthorized access through wireless devices or tapping of wired media, including establishing 'guest' wireless networks with limited network permissions.
implementing virus and malware security measures throughout the network and on all portable computers.
Applying all appropriate security patches.
Establishing and maintaining password policies and controls on access to the network, workstations, and other data depositories.
Information Technology Department staff will apply protection measures based on the Data Classifications (see sections lV and V), including:
Categorizing and/or re-classifying data elements and views.
Granting selective access to System Data
Documenting any deviation from mandatory requirements and implementing adequate compensating control(s).
Conducting periodic access control assessments of any sensitive information devices or services.
VI. Sensitive Data as it pertains to Desktops/Laptops/Workstations/Mobile Devices
Firewalls and anti-virus software must be installed or managed via cloud techniques on all desktops, laptops and workstations that access or store sensitive information, and a procedure must be implemented to ensure that critical operating system security patches are applied in a timely manner.
Storage of sensitive information on laptops, mobile devices, and devices that are not used or configured to operate as servers is prohibited, unless such information is safeguarded in a Information Technology Department-approved manner.
The user responsible for the device shall take proper care to isolate and protect files containing sensitive information from inadvertent or unauthorized access.
Assistance with securing sensitive information may be obtained from the Information Technology Department, as necessary.