6524 - Network Security The Avery County Schools’ computers, networks and other technological resources support the educational and administrative functions of the school system. Because employees and students depend on these systems to assist with teaching and learning and because sensitive and confidential information may be stored on these systems, system integrity and security is of utmost importance.

A. Network And Information Security

The school system information technology systems are valuable assets that must be protected. To this end, school technology personnel shall evaluate each information technology asset and assign protective controls that are commensurate with the established value of such assets. Appropriate security measures must be in place to protect all information technology assets from accidental or unauthorized use, theft, modification or destruction and to prevent the unauthorized disclosure of restricted information. Network security measures must include an information technology system disaster recovery process. Audits of security measures must be conducted annually.

All personnel shall ensure the protection and security of information technology assets that are under their control.

B. Security Awareness

The technology director or designee shall provide employees with information to enhance awareness regarding technology security threats and to educate them about appropriate safeguards, network security and information security.

C. Malware Protection

Malware detection programs and practices must be implemented throughout the school system. The superintendent or designee is responsible for ensuring that the school system network includes current software to prevent the introduction or propagation of computer malware.

D. Training For Use Of Technological Resources

Users should be trained as necessary to effectively use technological resources effectively ad in a manner that maintains the security of the network infrastructure and ensures compliance with state and federal law and regulations. Such training should include information related to remote access, virus protection, the state student information and instructional improvement system applications, network and information security, and other topics deemed necessary by the superintendent or technology director. Training may be conducted as part of the technology-related professional development program (see policy 3220, Technology in the Educational Program).

E. Access To Information Technology Systems

  1. User ID and Password

All users of information technology systems must be properly identified and authenticated before being allowed to access such systems. The combination of a unique user identification and a valid password is the minimum requirement for granting access to information technology systems. Depending on the operating environment, information involved and exposure risks, additional or more stringent security practices may be required as determined by the superintendent or technology director. The technology director or designee shall establish password management capabilities and procedures to ensure the security of passwords.

  1. Student Information System

The technology director or designee shall ensure that any all school system computers with access to the state student information system application pursuant to State Board of Education Policy 20018-TCS-0C adhere to relevant standards and requirements established by the State Board of Education, including provisions related to the user identification, password and workstation security standards. Employees must follow all such standards for all any computers used to access the student information system, including the employee’s personal computer.

  1. Remote Access

The superintendent and technology director may grant remote access to authorized users of the school system’s computer systems. The technology director or designee shall ensure that such access is provided through secure, authenticated and carefully managed access methods.

Legal References: G.S. 115C-523, -524; State Board of Education Policy SBOP-018

Cross References: Professional and Staff Development (policy 1610/7800), Technology in the Educational Program (policy 3220), Technology Acceptable Use (policy 7320)-3225-4312 School Improvement Plan (policy 3430), Use of Equipment, Materials and Supplies (policy 6520) Other References: State of North Carolina Statewide Information Security Manual (Enterprise Security and Risk Management Office

Adopted: 2017-03-21 Revised: 2017-04-28