Technology Security Policy

Technology Security Policy

Utah International Charter School (UI) supports secure network systems, including security for all personally identifiable information that is stored on paper or digitally on school computers and networks.  UI mitigates data threats that may harm the school, its students, or its employees.  UI will make reasonable efforts to maintain network security, understanding that data loss can be caused by human error, hardware malfunction, or natural disaster, and may not be preventable.

When an employee or other user becomes aware of suspicious communication or unauthorized use of data, he or she will immediately contact the UI information security officer (principal).

This policy covers third party vendors and contractors that keep or have access to UI’s sensitive data.  These parties will sign the Restriction on Use of Confidential Information Agreement before accessing our systems or receiving information.

UI fully conforms with all federal and state privacy and data governance laws, including the Family Educational Rights and privacy Act, 20  U.S. Code §1232g and 34 CFR Part 99 (FERPA), the Government Records and Management Act  U.C.A. §62G-2 (GRAMA), U.C.A. §53A-1-1401 et seq  and Utah Administrative Code R277-487.

UI will train staff and students regarding the importance of network security and best practices.  The procedures associated with this policy are consistent with guidelines provided by cyber security professionals worldwide and in accordance with Utah Education Network and the Utah State Office of Education. UI supports the development, implementation and ongoing improvements for a robust security system of hardware and software that is designed to protect our data, users, and electronic assets.

Procedures

1. Security Responsibility

UI shall appoint, in writing, a student data manager responsible for overseeing data security, to include development of policies and adherence to the standards defined in this document.

2. Training

UI shall ensure that all employees having access to sensitive information undergo annual data privacy training which emphasizes their personal responsibility for protecting student and employee information.   Training resources will be provided to all  employees.

UI shall ensure that students are educated about cyber security and protection of their own data privacy.

3. Physical Security

UI will ensure that any user’s computer is not left unattended and unlocked, especially when logged into sensitive systems or data including student or employee information. Automatic log off, locks and password screen savers will be used to enforce this requirement.

UI will ensure that all equipment that contains sensitive information will be secured to deter theft.

UI will ensure that server rooms and telecommunication rooms are kept locked, with access only by authorized personnel.

4. Network Security

Network perimeter controls will be implemented to regulate traffic moving between trusted (school) resources and external, untrusted (internet) entities. All network transmission of sensitive data should enforce encryption where technologically feasible.

UI shall ensure that all untrusted and public access computer networks are separated from main district computer networks and utilize security policies to ensure the integrity of those computer networks.

UI will utilize industry standards and current best practices to segment internal computer networks based on the data they contain. This will be done to prevent unauthorized users from accessing services unrelated to their job duties and minimize potential damage from other compromised systems.

No wireless access point shall be installed on UI’s computer network that does not conform with current network standards as defined by the network manager.

UI will scan for and remove or disable any rogue wireless devices on a regular basis.

All wireless access networks will conform to current best practices and shall utilize at minimal WPA encryption for any connections.  Open access networks are not permitted, except on a temporary basis for events when deemed necessary.

5. Access Control

System and application access will be granted based upon the least amount of access to data and programs required by the user in accordance with a business need-to-have requirement.

UI will enforce strong password management for employees, students, and contractors.

    • Do not share information system passwords with anyone. All passwords are to be treated as sensitive, confidential information.
    • Do not insert information system passwords into email messages or other forms of electronic communication.
    • Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.

UI will ensure that user access  be limited to only those specific access requirements necessary to perform their jobs, and that access is terminated when an employee leaves the school.

UI shall limit IT administrator privileges (operating system, database, and applications) to the minimum number of staff required to perform these sensitive duties.

6. Incident Management

Monitoring and responding to IT related incidents will be designed to provide early notification of events and rapid response and recovery from internal or external network or system attacks.

7. Business Continuity

To ensure continuous critical IT services, UI will develop a business continuity/disaster recovery plan appropriate for the size and complexity of our operations, which shall include as a minimum

  • Backup Data: Procedures for performing routine daily/weekly/monthly backups and storing backup media at a secured location other than the server room or adjacent facilities. As a minimum, backup media must be stored off-site a reasonably safe distance from the primary server room.
  • Secondary Locations: Identify a backup processing location, such as another School or District building.
  • Emergency Procedures: Document a calling tree with emergency actions to include: recovery of backup data, restoration of processing at the secondary location, and generation of student and employee listings for ensuing a full head count of all.

8. Malicious Software

Server and workstation protection software will be deployed to identify and eradicate malicious software attacks such as viruses, spyware, and malware.

UI shall install, distribute, and maintain spyware and virus protection software on all district-owned equipment, i.e. servers, workstations, and laptops.

UI shall ensure that malicious software protection will include frequent update downloads (minimum weekly), frequent scanning (minimum weekly), and that malicious software protection is in active state (real time) on all operating servers/workstations.

UI  shall ensure that all security-relevant software patches (workstations and servers) are applied within thirty days and critical patches shall be applied as soon as possible.

All computers must use the school-approved anti-virus solution.

9. Internet Content Filtering

In accordance with Federal and State Law, UI  shall filter internet traffic for content defined in law that is deemed harmful to minors.

UI acknowledges that technology based filters are not always effective at eliminating harmful content.  UI therefore uses a combination of technological means and supervisory means to protect students from harmful online content.

In the event that students take devices home, UI will provide a technology based filtering solution for those devices.  However, UI will rely on parents to provide the supervision necessary to fully protect students from accessing harmful online content.

Students shall be supervised when accessing the internet and using district owned devices on school property.

10. Data Privacy

UI considers the protection of the data it collects on students, employees and their families to be of the utmost importance.

UI protects student data in compliance with FERPA, GRAMMA,  U.C.A. §53A-1-1401 et seq, 15 U.S. Code §§ 6501–6506 (COPPA) and Utah Administrative Code R277-487 (Student Data Protection Act).

UI shall ensure that employee records access shall be limited to only those individuals who have specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.

11. Security Audit and Remediation

UI shall perform routine security and privacy audits in congruence with the school’s information security audit plan.

School personnel shall develop remediation plans to address identified lapses that conforms with the school’s information security remediation plan template.

12.  Employee Disciplinary Actions

Any employee found to be in violation of UI’s technology security plan or non-disclosure agreement may be subject to disciplinary action up to and including termination of employment with Utah International Charter School.

phone: 801-539-0852 email: sales@xmission.com