Avery County Schools Policy Policy Code: 6526
ACSNET TECHNOLOGY RESOURCES SECURITY
The ACSNet system consists of various technology resources and services, including, but not limited to, computer workstations, network servers, software applications and services such as internet access and email. These resources are vital to the instructional program and to the effective and efficient operation of the District. The resources must be protected and secured.
Identification and Authentication of Users All users must be properly identified and authenticated before being allowed to access resources and services provided by the ACSNet system. The primary means of identification and authentication used within the ACSNet system is a combination of unique user-id and password. • A unique user-id will be assigned for each user so that individual accountability can be established for all system activities. • Administrative approval is required for each user-id creation. User-ids will be created and managed by the Director of Technology Services or by his/her designee. • A process is established in an administrative procedure to assign, suspend, move or remove user-id accounts. • A password management procedure is established to ensure the confidentiality of passwords and to prevent exploitation of weak passwords. • Except as specifically allowed by the ACSNet security administrator, passwords shall not be revealed to anyone, including a supervisor, family members or co-workers. In special cases where a user must divulge a password, such as for system support, the user shall immediately change the password after the purpose for revealing the password has been achieved. Intentionally sharing UserID/Password information with unauthorized persons is a breach of security policy and may result in disciplinary action. • During a brief period at the start of the first and second semesters of the school year, students may be provided with a “shared” network account to be used only until their personal user-id and password has been created. The shared account will be disabled as soon as all students have been provided with their personal accounts. At no time should staff or faculty use the shared student account. • Users are responsible for all activities performed under their personal user-id. Workstations must be locked, secured or logged off any time the current user is not in direct control of the computer, e.g. stepping away from one’s desk, lunch break, fire drill, etc. • Certain software applications use security models and procedures that are separate from the ACSNet user-id/password process. Examples of this situation include NCWise, Follett Library Automation system, GroupWise WebAccess email system and Education Law in North Carolina. User-ids and passwords will be created and maintained for these products with the same emphasis on overall system security as that considered for ACSNet. Procedures describe the method and management of account creation, adherence to required user-id/password parameters and overall management of the product security.
Avery County Schools Policy Code: 6526 Page 1 of 4 Employee Access to Data Employees shall be given access (assignment of network user-id / password and assignment of appropriate rights) to confidential data only after being provided an opportunity to review the Employee Acceptable Use Policy contained in Policy 3225/7320. It shall be the responsibility of each employee’s supervisor to verify that each employee who accesses information is properly trained and aware of their role and responsibility for maintaining information confidentiality and data security.
Employees should save all data to the network storage resource (server) rather than workstation hard-drives. Data saved to a network server is generally far more secure than data saved to a workstation. Data saved to the network is protected by antivirus software and other electronic devices. Workstation hard-drives may not be backed up properly and are far more susceptible to viruses and malware problems than are network servers. Workstations are not generally protected from electrical surges and spikes that cause damage.
Security Measures The Information Technology Services department shall implement and utilize a variety of security measures to prevent unauthorized access to and use of ACSNet resources. These measures include firewalls, filters, sniffers, and packet shapers. New tools, as they are developed and become available, may be utilized to prevent security incidents and protect resources. Users should have no expectation of privacy in the material stored, sent or received by them over the ACSNet system. Monitoring of this material may occur to either insure the security and operating performance of the ACSNet system, or to enforce district policies or compliance with state or federal law.
Computer Workstation Security Computer workstations used as part of the ACSNet system are the property of Avery County Schools and are provided to staff and students as a resource to accomplish the instructional and administrative goals of the District. In order to maximize the availability of these critical resources, steps are taken to protect the integrity of the operating systems and application software. • All computer workstations must be protected by a security program that prevents installation and modification of software. The only allowed exceptions are workstations that must run application software required by the District that will not run within the secured environment. • No user will intentionally defeat or disable the operation of the workstation security software without the prior approval of the Technology Services staff. • No software may be installed without the prior approval of the Technology Services staff. Software interactions may render vital applications unusable, so new software must installed in a controlled environment before being placed into production. • Keystroke logging devices and/or software may not be installed without the approval of the Director of Technology Services. • Remote desktop control software may not be installed without the prior approval of the Director of Technology Services.
Avery County Schools Policy Code: 6526 Page 2 of 4 • Operating system software configuration changes may not be made without the prior approval of the Technology Services staff. This includes desktop configurations, screensavers, and other user-controllable applets provided within the operating system. Anti-virus Protection Using internet services, email services and exchanging data between computers exposes the ACSNet system to potentially harmful programs, Trojan horses, worms, and system exploits (collectively, “virus” or “viruses”). The ACSNet system resources must be protected from disruption caused by these agents. • The currently adopted antivirus application and current virus definition files for the product will be installed and maintained on all ACSNet workstations. ACSNet users will be instructed on the procedure for using the antivirus product to protect data. • Operating system and application software patches will be tested and installed as appropriate to protect the operating system and application software from resource exploits. • An administrative procedure describes the means of notifying users of virus threats, possible infections and methods to be used to identify, contain, remove and recover from virus events. • No user will intentionally defeat the operation of the antivirus software without the prior approval of the Technology Services Staff.
Malware Protection The Information Technology Services department will provide malware protection. This protection may take the form of software, appliances or services that help prevent the proliferation of malware infection within the ACSNet system. These systems will be maintained current within the budgetary constraints of the district.
Connecting Unauthorized Devices to the Network Unauthorized equipment (privately owned computers, laptops, wireless access points, switches, mini-hubs, etc.) shall not be connected to the network without the express authorization and approval of the Director of Information Technology Services or his designee..
Network Rights and Access to Network Resources and Services Users of the ACSNet system are provided access to networked resources and denied access to networked resources based on the needs of their educational program in the case of students, or based on their job requirements in the case of staff. Users are provided with only the network rights and access required to meet the needs of the instructional and administrative goals of the District. • Network rights and access to networked resources will be maintained and managed by the Director of Technology Services or his/her designee. • Network rights assignments will be periodically audited to ensure the assignments are current and appropriate. • Requests to change the scope of a user’s network rights will be submitted to the Director of Technology Services. The need for the change must be clearly demonstrated and, in the case of staff, the user’s supervisor must approve the change. • Network administration rights of varying levels will be granted only to Technology Services staff that have the expertise and the need to manage ACSNet networked resources.
Avery County Schools Policy Code: 6526 Page 3 of 4 Remote Access to the ACSNet System Remote access to certain services provided within the ACSNet system may be provided to individuals based on the instructional or administrative need to access such services and on the ability for such services to be provided without compromising the security of the ACSNet system and the data contained therein.
Confidentiality of Security Information and Security Measures District personnel shall not make public information concerning its security infrastructure. To do so might breach the security system and jeopardize the confidentiality of employee and student information.
Information Technology Security Incidents The Director of Information Technology Services shall establish different levels of security incidents and those incidents serious enough to compromise the integrity of the systems or data shall be investigated. Appropriate action will be taken to eliminate any determined weakness in the security system. High-level security breaches shall be reported to the Superintendent.
Technology Services Policies, Regulations, Standards and Guidelines The Director of Information Technology Services may develop and adopt, in accordance with the policies of the Avery County Schools Board of Education, policies, procedures, regulations, standards and guidelines to be followed by all employees and students regarding access to and use of any technology related services and/or equipment that is not specifically addressed here. Areas covered by these internal policies, regulations, standards and guidelines may include hardware and software purchases, equipment maintenance and repair, disaster recovery of data and hardware, web-site management, and password guidelines.
Avery County Schools Policy Code: 6526 Page 4 of 4