8305 - INFORMATION SECURITY
The School Corporation collects, classifies, and retains data/information from and about students, staff, vendors/contractors, and other individuals, about programs and initiatives undertaken by the school system, and about and related to the business of the Corporation. This information may be in hard copy or digital format and may be stored in the Corporation or offsite with a third-party provider.
Protecting Corporation data/information is of paramount importance. Information security requires everyone’s active participation to keep the Corporation’s data/information secure. This includes School Board members, staff members/employees, students, parents, contractors/vendors, and visitors who use Corporation Technology and Information Resources. The Corporation will work to protect the data/information, computer network, or system from attack vectors, or methods by which the computer network or system is attacked, infiltrated, or otherwise compromised.
A cybersecurity incident is a malicious or suspicious occurrence that consists of one (1) or more of the categories of attack vectors and are defined as websites that:
- jeopardize or may potentially jeopardize the confidentiality, integrity, or availability of an information system, an operational system, or the information that such systems process, store or transmit;
- jeopardizes or may potentially jeopardize the health and safety of the public; or
- violate security policies, security procedures, or acceptable use policies (See Policy7540.03 - Student Acceptable Use Policy/Policy 7540.04 - Staff Acceptable Use Policy)
A cybersecurity incident may consist of one (1) or more of the following categories of attack vectors: 1) ransomware; 2) business email compromise; 3) vulnerability exploitation; 4) zero-day exploitation; 5) distributed denial of service; 6) website defacement; or other sophisticated attacks as defined by the Chief Information Officer (CIO) and identified by the Corporation on its website.
Individuals who are granted access to data/information collected and retained by the Corporation must follow established procedures so that the information is protected and preserved. Board members, administrators, and all Corporation staff members, as well as contractors, vendors, and their employees, granted access to data/ information retained by the Corporation are required to certify annually that they shall comply with the established information security protocols pertaining to Corporation data/information. Further, all individuals granted access to Corporation Confidential Data/Information retained by the Corporation must certify annually that they will comply with the information security protocols pertaining to Confidential Data/Information. Completing the appropriate section of the Staff Technology Acceptable Use and Safety form shall provide this certification.
All Board members, staff members/employees, students, contractors/vendors, and visitors who have access to Board-owned or managed data/information must maintain the safety and security of that data/information and the Corporation Technology Resources on which it is stored.
If an individual has any questions concerning whether this policy and/or its related administrative guidelines apply to him/her or how they apply to him/her, the individual should contact the Corporation’s Technology Director or Information Technology Department/Office.
The Board authorizes the Superintendent to develop administrative guidelines that set forth the internal controls necessary to provide for the collection, classification, retention, access, and security of Corporation Data/Information. Within the established administrative guidelines, the Superintendent will determine a method for maintaining a repository of cybersecurity incidents.
Further, the Superintendent is authorized to develop procedures that would be implemented in the event of an unauthorized release of data/information. These procedures shall comply with the Corporation’s legal requirements if such a breach of personally-identifiable information occurs.
The Superintendent shall require the participation of staff members in appropriate training related to the internal controls pertaining to the data/information that they collect, to which they have access, and for which they would be responsible for the security protocols.
Third-party contractors/vendors who require access to Corporation Confidential Data/Information will be informed of relevant Board policies that govern access to and use of Corporation Information Resources, including the duty to safeguard the confidentiality of such data/information.
Failure to adhere to this Policy and its related administrative guidelines ("AGs") may put Corporation data/information at risk. Employees who violate this policy and/or the administrative guidelines promulgated consistent with this policy may have disciplinary consequences imposed, up to and including termination of employment, and/or referral to law enforcement. Students who violate this Policy and/or AGs will be referred to the Corporation’s disciplinary system and/or law enforcement. Contractors/vendors who violate this Policy and/or AGs may face termination of their business relationships with and/or legal action by the Corporation. Parents and visitors who violate this Policy and/or AGs may be denied access to Corporation Technology Resources.
The Superintendent shall conduct a periodic assessment of risk related to the access to and security of the data/information retained by the Corporation, as well as the viability of the Continuity of Organizational Operations Plan developed pursuant to Policy 8300.
© Neola 2021