NETWORK SECURITY Policy Code: 6524

The Avery County Schools’ computers, networks and other technological resources support the educational and administrative functions of the school system. Because employees and students depend on these systems to assist with teaching and learning and because sensitive and confidential information may be stored on these systems, system integrity and security is of utmost importance.

A. NETWORK AND INFORMATION SECURITY

   The school system information technology systems are valuable assets that must be
   protected. To this end, school technology personnel shall evaluate each information
   technology asset and assign protective controls that are commensurate with the
   established value of such assets. Appropriate security measures must be in place to
   protect all information technology assets from accidental or unauthorized use, theft,
   modification or destruction and to prevent the unauthorized disclosure of restricted
   information. Network security measures must include an information technology system
   disaster recovery process. Audits of security measures must be conducted annually.

   All personnel shall ensure the protection and security of information technology assets
   that are under their control.

B. SECURITY AWARENESS

   The technology director or designee shall provide employees with information to enhance
   awareness regarding technology security threats and to educate them about appropriate
   safeguards, network security and information security.

C. MALWARE PROTECTION

   Malware detection programs and practices must be implemented throughout the school
   system. The superintendent or designee is responsible for ensuring that the school system
   network includes current software to prevent the introduction or propagation of computer
   malware.

D. TRAINING FOR USE OF TECHNOLOGICAL RESOURCES

   Users should be trained as necessary to effectively use technological resources effectively
   ad in a manner that maintains the security of the network infrastructure and ensures
   compliance with state and federal law and regulations. Such training should include
   information related to remote access, virus protection, the state student information and
   instructional improvement system applications, network and information security, and
   other topics deemed necessary by the superintendent or technology director. Training
   may be conducted as part of the technology-related professional development program
   (see policy 3220, Technology in the Educational Program).


                                                                                  Page 1 of 3
                                                                 Policy Code:         6524

E. ACCESS TO INFORMATION TECHNOLOGY SYSTEMS

   1.     User ID and Password

          All users of information technology systems must be properly identified and
          authenticated before being allowed to access such systems. The combination of a
          unique user identification and a valid password is the minimum requirement for
          granting access to information technology systems. Depending on the operating
          environment, information involved and exposure risks, additional or more
          stringent security practices may be required as determined by the superintendent
          or technology director. The technology director or designee shall establish
          password management capabilities and procedures to ensure the security of
          passwords.

   2.     Student Information System

          The technology director or designee shall ensure that any all school system
          computers with access to the state student information system application
          pursuant to State Board of Education Policy TCS-C-018 adhere to relevant
          standards and requirements established by the State Board of Education, including
          provisions related to the user identification, password and workstation security
          standards. Employees must follow all such standards for all any computers used
          to access the student information system, including the employee’s personal
          computer.

   3.     Remote Access

          The superintendent and technology director may grant remote access to
          authorized users of the school system’s computer systems. The technology
          director or designee shall ensure that such access is provided through secure,
          authenticated and carefully managed access methods.

Legal References: G.S. 115C-523, -524; State Board of Education Policy SBOP-018

Cross References: Professional and Staff Development (policy 1610/7800), Technology in the Educational Program (policy 3220), Technology Acceptable Use (policy 3225/4312/7320), School Improvement Plan (policy 3430), Use of Equipment, Materials and Supplies (policy 6520) Other References: State of North Carolina Statewide Information Security Manual (Enterprise Security and Risk Management Office

Adopted: 3/21/17 Revised: 4/28/17

                                                                                Page 2 of 3

Policy Code: 6524

           Page 3 of 3