8305B - INFORMATION SECURITY INCIDENT MANAGEMENT
This administrative guideline governs the reporting and management of security incidents involving the District’s information resources (as defined in Bylaw 0100).
Every Board member, staff member/employee, student, parent, contractor/vendor, and visitor to school property who accesses District-owned or managed information through computing systems or devices ("users") must report information security incidents (as defined below) promptly per the procedures described herein.
When an information security incident involves District confidential data/information (as defined below) or mission critical devices (as defined below), the District Administrator/Technology Director/District’s Information Technology Office may, in coordination with the District’s Security Office, direct the incident response and investigation. The Technology Director is authorized, in conjunction with the District Administrator, to take any action necessary to mitigate the risk posed by the information security incident.
An employee who puts District confidential data/information at risk as a result of his/her failure to adhere to relevant policies/administrative guidelines/the law may be subject to disciplinary consequences, up to and including termination of employment and/or referral to law enforcement. Students who fail to adhere to applicable policies/administrative guidelines/the law will be referred to school and/or District administration for review and determination of the consequences of their actions, including referral to law enforcement. Contractors and vendors who fail to adhere to applicable policies/administrative guidelines/the law may face termination of their business relationships with and/or legal action by the District. Parents and visitors who fail to adhere to applicable policies/administrative guidelines/the law may be denied access to District technology and information resources and/or referral to law enforcement. Violations can in some cases also carry the risk of civil or criminal penalties.
The IT Director is responsible for establishing and maintaining an up-to-date information security management plan.
The school site administrator (e.g., the Principal) or the District-wide department administrator, along with the Tech Specialist [or equivalent], are responsible for reporting information security incidents at their site.
Definitions
- Incident Management Plan
The IT Department, in conjunction with department/division/building leaders, must develop and maintain a plan that contains procedures on how to handle information security incidents, including contact information for site/unit personnel with responsibility for responding to the incident, plans to contain an incident, and procedures on how to restore information. - Information Security Incident
Includes any incident that is known or has the potential to negatively impact the confidentiality, integrity, or availability of District information/data. This can range from the loss of a laptop, tablet, or other mobile/portable storage device, the virus infection of an end-user workstation, or a breach of a District system by a hacker. - Mission Critical Resource
Includes any resource that is critical to the mission and operation of the District and any device that is running a mission critical service or stores District confidential data/information. Mission critical services must be available. Mission critical resources for information security purposes include, for example, information/data assets, software, hardware, and facilities related to human resources, finance, student information services, payroll, email). - District Confidential Data/Information
Includes all data, in its original and duplicate form, that contains:
- "personal identifying information", as defined by State and Federal laws;
This includes employer tax ID numbers, drivers' license numbers, passport numbers, SSNs, State identification card numbers, credit/debit card numbers, banking account numbers, PIN codes, digital signatures, biometric data, fingerprints, passwords, and any other numbers or information that can be used to access a person's financial resources. - "protected health information" as defined by the HIPAA;
- student "education records", as defined by the Family Educational Rights and Privacy Act (FERPA) and State law;
- information that is deemed to be confidential in accordance with the Wisconsin Public Records Act;
- "card holder data", as defined by the Payment Card Industry (PCI) Data Security Standard (DSS).
- "personal identifying information", as defined by State and Federal laws;
Adherence to the procedures outlined below will streamline the handling of information security incidents and minimize the timeframe during which District confidential data/information and mission critical resources are left in a vulnerable state.
Incident Reporting
Given the risks associated with information security incidents, as well as implications for the District related to compliance with Federal and State regulatory requirements, it is essential that school site administrators and District department administrators be aware of information security issues and their responsibilities for reporting and mitigating information security risks.
School site administrators and District department administrators who manage business units that maintain and manage their site’s Information Resources must designate employees as primary and back-up information security contacts, provide the District’s Information Technology Office with the names and contact information of these individuals, update this information whenever it changes, and verify that these contacts are trained by the District’s Technology Office to perform their duties.
Each information security contact shall serve as an intermediary between his/her respective District site or office and the District’s Information Technology Office and must assist the site or office s/he serves in implementing information security policies and information security initiatives including training of site staff and in responding to data breach incidents, all in close coordination with the District’s Information Technology Office.
Every technology user, including Board members, staff members/employees, students, parents, contractors/vendors, and visitors to campus, who has access to Board-owned or managed Information Resources and who suspects that there may have been an information security incident (ranging from a lost or stolen laptop, tablet or other mobile/portable storage device, the virus infection of an end-user work station, or a major intrusion by a hacker) must promptly report the incident to his/her Principal or director/manager and/or the information security contact for that unit/site.
The information security contact’s roles and responsibilities include, but are not limited to:
serving as a single point of contact for the District’s Information Technology Office regarding security efforts and information security incidents that affect District sites;
aiding the District’s Information Technology Office in improving information security in the District by coordinating with them on security matters;
working with the District’s Information Technology Office on incident management and response as well as assist the District’s Information Technology Office, as needed, in certain activities including coordinating the following with the District’s Technology Office:
ensuring proper identification and classification of mission critical devices and technology resources storing District confidential data/information within their school site or business unit/department;
advising and training their site’s administration, faculty, and staff on the implementation of appropriate security controls for technology resources (as defined In Bylaw 0100) and information resources;
meeting periodically with the District’s Information Technology Office to move forward District security initiatives for their respective sites;
maintaining an up-to-date list of staff/users with access to District confidential data/information and controlled data/information in their working group and promptly notify District’s Information Technology Office of any personnel changes, including transfers within the District;
providing basic security advice for all assigned systems and users within their site;
ensuring timely compliance with security awareness requirements, including appropriate refresher training and training of new employees;
In consultation with the Principal, the contact will oversee the site’s compliance with applicable State and Federal laws as well as Board policies regarding District confidential data/information.ensuring that any detected vulnerabilities are remediated in a timely manner;
advising their site regarding the implementation of appropriate security controls consistent with the District’s information security policy;
collecting incident response information;
The contact must provide a timely notification of the District’s Information Technology Office regarding any information security incidents for their respective site consistent with the incident management procedure. In addition, the contact must provide a timely and comprehensive response to information security incidents in coordination with the District’s Information Technology Office.coordinating with the District’s Information Technology Office regarding the District’s information security strategic initiatives.
Each information security incident will be classified accordingly to the following "levels":
| Incident Level | Examples | Investigation Type |
| Level 1 | Violation of Board policies and administrative procedures | Basic investigation of an incident. |
A virus or malware detection. | Remediation advice for an incident is provided. | |
| Device isolation, if necessary. | ||
| Level 2 | Unauthorized computer/network access, misuse, or user permission issue. Computer/system theft, damage, or loss. Malicious denial of service attack or other attempt | Investigation of the incident. |
| Notification will be provided if applicable pursuant to AG 8305C. | ||
| Level 3 | Hacking or system breach to core/mission critical systems. Unauthorized release of District confidential | Investigation of a likely or confirmed breach of a system processing/storing District Confidential Data/Information or a mission critical system. |
| Investigation of information technology relevant issues performed in support of criminal or civil cases, as well as District internal investigations. | ||
| Notification will be provided if applicable pursuant to AG 8305C. |
In the event of a possible Level 2 or 3 information security incident, the user or administrator of the potentially compromised system or device should work with the site’s information security contact to preserve all evidence, including leaving the possibly compromised machine powered up and online, and refraining from accessing the system or machine in any way. The information security contact will then report the incident to the District’s Information Technology Office and/or Security Office. The District’s Information Technology Office and the Security Office will advise how best to proceed for purposes of preserving evidence and constructing an audit trail for the investigation of the incident. As appropriate, the District’s Security Office will coordinate with public safety and law enforcement officials.
The District Administrator will coordinate all external communications with the media or the public related to any information security incident.
© Neola 2017