Protecting our students’ privacy is an important priority, and Weber School District (“District”) is committed to maintaining strong and meaningful privacy and security protections. It is the policy of the District that data or information in all its forms--written, electronic, or printed--is protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment, software, and practices used to process, store, and transmit data or information.
The Data Governance Plan (“Plan”) formally outlines how operational and instructional activity shall be carried out to ensure the District’s student data is accurate, accessible, consistent, and protected. The Plan establishes who is responsible for information under various circumstances and specifies what procedures shall be used to manage and protect it.
The Plan shall be a living document. It is reviewed annually, along with the Weber School District Data Protection Policy. The Plan and all modifications shall be posted on the District’s website.
The District is authorized to establish, implement, and maintain data and information security measures. Weber District Data Protection Policy and this Plan apply to all students and employees of the district, contractual third parties, visitors, contract workers, and agents of the district, and volunteers who have access to district data systems or data. The Policy and this Plan also applies to all forms of education data owned and maintained by the District , including but not limited to:
The District complies with all applicable regulatory acts, including but not limited to the following:
Classification is used to promote proper controls for safeguarding the confidentiality of data. Regardless of classification, the integrity and accuracy of all classifications of data are protected. The classification assigned and the related controls applied are dependent on the sensitivity of the data. Data are classified according to the most sensitive detail they include. Data recorded in several formats (e.g., source document, electronic record, report) have the same classification regardless of format.
Any computer, laptop, mobile device, printing and/or scanning device, network appliance/equipment, AV equipment, server, internal or external storage, communication device or any other current or future electronic or technological device may be referred to as Weber District “systems”. All involved systems and student data maintained on these systems are assets of the District’s and shall be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.
Note: Only WSD district-supported email accounts shall be used for communications to and from school employees, to and from parents or other community members, to and from other educational agencies, to and from vendors or other associations, and to and from students for school business.
Audit Controls: Hardware, software, services and/or procedural mechanisms that record and examine activity in information systems that contain or use student data are reviewed by the Data Security Officer annually. Further, the Data Security Officer also regularly reviews records of information system activity, such as audit logs, access reports, and security incident tracking reports. These reviews shall be documented and maintained for six (6) years.
Physical and Security Controls
The following physical and security controls shall be adhered to:
Password Control Standards
The District’s s Data Governance and Use Policy require the use of strictly controlled passwords for network access and for access to secure sites and information. In addition, all users are assigned to Microsoft security groups that are managed through Microsoft Group Policies. The security groups include separate groups at each school for Office Staff, Tech Staff, Instructional Staff, Students, and Users.
Purchasing and Disposal Procedures for
This procedure is intended to provide for the proper purchasing and disposal of technological devices only. Any computer, laptop, mobile device, printing and/or scanning device, network appliance/equipment, AV equipment, server, internal or external storage, communication device or any other current or future electronic or technological device may be referred to as ‘systems’ in this document. For further clarification of the term technological systems contact the District’s (WSD) Technology Director.
All involved systems and information are assets of the District and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.
All systems that will be used in conjunction with the District technology resources or purchased, regardless of funding, shall be purchased from an approved list or be approved by the Technology Director. Failure to have the purchase approved may result in lack of technical support, request for removal from premises, or denied access to other technology resources.
All electronic equipment is subject to Utah competitive bid laws. There are several purchasing coops that have been approved for use by the Utah State Board of Education. In the event that a desired product is not included in one of these agreements, the District bids the item or items using the district’s competitive bidding process. All technological systems, services, etc. over $15,000 purchased with public funds are subject to Utah’s competitive bid laws.
All technological devices or systems over $500 are inventoried by the Technology Department in accordance with the District’s Finance Department using the iFAS inventory system. There are some exceptions under $500, as determined by the Technology Director, such as but not limited to companion devices or peripherals that are inventoried. The district technology staff is responsible for ensuring that any network equipment, file servers, or district systems, etc. are inventoried.
Equipment shall be considered for disposal for the following reasons:
The local school principal, Technology Director, and the District’s WSD Purchasing Agent shall approve school disposals by discard or donation. Written documentation in the form of a spreadsheet including but not limited to the following shall be provided to the District Technology Office no later than Wednesday at 9:00 a.m.
Once equipment has been designated and approved for disposal, it shall be handled according to one of the following methods. It is the responsibility of the local school Technology Coordinator to modify the iFas inventory entry to reflect any in-school transfers, in-district transfers, donations, or discards for technological systems. The district technology staff is responsible for modifying the inventory records to reflect any transfers within the central offices, transfers of central office electronic equipment to local schools, central office donations, or central office discards.
If the equipment has not reached the end of its estimated life, an effort shall be made to redistribute the equipment to locations where it can be of use, first within an individual school or office, and then within the district. Service requests may be entered to have the equipment moved, reinstalled and, in the case of computers, laptops, or companion devices, have it wiped and reimaged or configured.
All electronic equipment in the District’s shall be discarded in a manner consistent with applicable environmental regulations. Electronic equipment may contain hazardous materials such as mercury, lead, and hexavalent chromium. In addition, systems may contain Personally Identifiable Information (PII), Confidential, or Internal Information. Systems shall be wiped clean of this information prior to leaving the school district.
A district-approved vendor shall be contracted for the disposal of all technological systems/equipment. The vendor shall provide written documentation verifying the method used for disposal and a certificate stating that no data of any kind can be retrieved from the hard drive or any other component capable of storing data. Under no circumstances should any technological systems/equipment be placed in the trash. Doing so may make the District and/or the employee who disposed of the equipment liable for violating environmental regulations or laws.
If the equipment is in good working order, but no longer meets the requirements of the site where it is located, and cannot be put into use in another part of a school or system, it may be donated upon the written request of the receiving public school system’s superintendent or non-profit organization’s director.
It shall be made clear to any school or organization receiving donated equipment that the District WSD is not agreeing to and is not required to support or repair any donated equipment. It is donated AS IS.
District WSD staff should make every effort before offering donated equipment, to make sure that it is in good condition and can be re-used. Microsoft licenses or any other software licenses are not transferred outside the District .
Donations are prohibited to individuals outside of the school system or to current faculty, staff, or students of the District . The donation of or sale of portable technology-related equipment is permissible to retiring employees if the following criteria have been met:
All donations and/or sales shall be approved by the Finance Director and Technology Director.
Weber School District’s Technological Services and Systems
Memorandum of Agreement (MOA)
THIS MEMORANDUM OF AGREEMENT, executed and effective as of the ____ day of _________________, 20___, by and between _________________, a corporation organized and existing under the laws of (the “Company”), and WEBER SCHOOL DISTRICT (WSD), a public school system organized and existing under the laws of the state of Utah (the “School Board”), recites and provides as follows.
The Company and the School Board are parties to a certain agreement entitled “_________________________” hereafter referred to as (the “Agreement”). In connection with the execution and delivery of the Agreement, the parties wish to make this Memorandum of Agreement (also referred to as MOA or Addendum) a part of the original Agreement in order to clarify and/or make certain modifications to the terms and conditions set forth in the original Agreement.
The Company and the School Board agree that the purpose of such terms and conditions is to ensure compliance with the Family Educational Rights and Privacy Act (FERPA) and the overall privacy and security of student Personally Identifiable Information (PII) hereafter referred to as student information and/or data, including but not limited to (a) the identification of the Company as an entity acting for the School Board in its performance of functions that a School Board employee otherwise would perform; and (b) the establishment of procedures for the protection of PII, including procedures regarding security and security breaches.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is acknowledged hereby, the parties agree as follows.
The following provisions shall be deemed to be included in the Agreement:
Confidentiality Obligations Applicable to Certain WSD Student Records. The Company hereby agrees that it shall maintain, in strict confidence and trust, all WSD student records containing personally identifiable information (PII) hereafter referred to as “Student Information”. Student information shall not be shared with any other resource or entity that is outside the intended purpose of the Agreement.
The Company shall cause each officer, director, employee and other representative who shall have access to WSD Student Records during the term of the Agreement (collectively, the “Authorized Representatives”) to maintain in strict confidence and trust all WSD Student Information. The Company shall take all reasonable steps to insure that no WSD Student information is disclosed to any person or entity except those who (a) are Authorized Representatives of the Company performing functions for WSD under the Agreement and have agreed to be bound by the terms of this Agreement; (b) are authorized representatives of WSD, or (c) are entitled to such WSD student information from the Company pursuant to federal and/or Utah law. The Company shall use WSD student information, and shall take all reasonable steps necessary to ensure that its Authorized Representatives shall use such information, solely for purposes related to and in fulfilment of the performance by the Company of its obligations pursuant to the Agreement.
The Company shall: (a) designate one of its Authorized Representatives to be responsible for ensuring that the Company and its Authorized Representatives maintain the WSD student information as confidential; (b) train the other Authorized Representatives with regard to their confidentiality responsibilities hereunder and pursuant to federal and Utah law; (c) maintain at all times a list of Authorized Representatives with access to WSD student information.
Other Security Requirements. The Company shall maintain all technologies, policies, procedures and practices necessary to secure and protect the confidentiality and integrity of WSD student information, including procedures to (a) establish user IDs and passwords as necessary to protect such information; (b) protect all such user passwords from detection and unauthorized use; (c) prevent hostile or unauthorized intrusion that could result in data corruption, or deny service; (d) prevent and detect computer viruses from spreading to disks, attachments to e-mail, downloaded files, and documents generated by word processing and spreadsheet programs; (e) minimize system downtime; (f) notify WSD of planned system changes that may impact the security of WSD data; (g) return or destroy WSD data that exceed specified retention schedules; (h) notify WSD of any data storage outside the US; (i) in the event of system failure, enable immediate recovery of WSD information to the previous business day. The Company should guarantee that WSD data shall not be sold to, accessed by, or moved by third parties.
In the event of a security breach, the Company shall (a) immediately take action to close the breach; (b) notify WSD within 24 hours of Company's first knowledge of the breach, the reasons for or cause of the breach, actions taken to close the breach, and identify the WSD student information compromised by the breach; (c) immediately notify the student, if they are an adult student, or the legal guardian if the student is not an adult (d) return compromised WSD data for review; (e) provide communications on the breach to be shared with affected parties and cooperate with WSD efforts to communicate to affected parties by providing WSD with prior review of press releases and any communications to be sent to affected parties; (f) take all legally required, reasonable, and customary measures in working with WSD to remediate the breach which may include toll free telephone support with informed customer services staff to address questions by affected parties and/or provide monitoring services if necessary given the nature and scope of the disclosure; (g) cooperate with WSD by providing information, records and witnesses needed to respond to any government investigation into the disclosure of such records or litigation concerning the breach; and (h) provide WSD with notice within 24 hours of notice or service on Company, whichever occurs first, of any lawsuits resulting from, or government investigations of, the Company's handling of WSD data of any kind, failure to follow security requirements and/or failure to safeguard WSD data. The Company’s compliance with the standards of this provision is subject to verification by WSD personnel or its agent at any time during the term of the Agreement. Said information should only be used for the purposes intended and shall not be shared, sold, or moved to other companies or organizations nor should other companies or organization be allowed access to said information. (HB 358 53A-1-1405:475)
Disposition of WSD Data Upon Termination of Agreement
Upon expiration of the term of the Agreement, or upon the earlier termination of the Agreement for any reason, the Company agrees that it promptly shall deliver to the School Board, and shall take all reasonable steps necessary to cause each of its Authorized Representatives promptly to deliver to the School Board, all required WSD student data and/or staff data or proof that all student/staff data has been expunged. The Company hereby acknowledges and agrees that, solely for purposes of receiving access to WSD data and of fulfilling its obligations pursuant to this provision and for no other purpose (including without limitation, entitlement to compensation and other employee benefits), the Company and its Authorized Representatives shall be deemed to be school officials of the School Board, and shall maintain WSD data in accordance with all federal state and local laws, rules and regulations regarding the confidentiality of such records. The non-disclosure obligations of the Company and its Authorized Representatives regarding the information contained in WSD data shall survive termination of the Agreement. The Company shall indemnify and hold harmless the Board from and against any loss, claim, cost (including attorneys' fees) or damage of any nature arising from or in connection with the breach by the Company or any of its officers, directors, employees, agents or representatives of the obligations of the Company or its Authorized Representatives under this provision.
Certain Representations and Warranties. The Company hereby represents and warrants as follows: (a) the Company has full power and authority to execute the Agreement and this MOA and to perform its obligations hereunder and thereunder; (b) the Agreement and this MOA constitute the valid and binding obligations of the Company, enforceable in accordance with their respective terms, except as such enforceability may be limited by bankruptcy or similar laws affecting the rights of creditors and general principles of equity; and (c) the Company’s execution and delivery of the Agreement and this Addendum and compliance with their respective terms will not violate or constitute a default under, or require the consent of any third party to, any agreement or court order to which the Company is a party or by which it
may be bound.
Governing Law; Venue. Notwithstanding any provision contained in the Agreement to the contrary, (a) the Agreement shall be governed by and construed in accordance with the laws of the State of Utah, without reference to conflict of laws principles; and (b) any dispute hereunder which is not otherwise resolved by the parties hereto shall be decided by a court of competent jurisdiction located in the State of Utah.
IN WITNESS WHEREOF, the parties hereto have caused this Addendum to be executed by their duly authorized officers effective as of the date first written above.
WEBER SCHOOL DISTRICT
Weber School District
The purpose of this policy is to ensure the secure use and handling of all district data, computer systems and computer equipment by District students, patrons, and employees.
It is the policy of the Weber School District to support secure network systems in the district, including security for all personally identifiable information that is stored on paper or stored digitally on district-maintained computers and networks. This policy supports efforts to mitigate threats that may cause harm to the district, its students, or its employees.
The district will ensure reasonable efforts will be made to maintain network security. Data loss can be caused by human error, hardware malfunction, natural disaster, security breach, etc., and may not be preventable.
All persons who are granted access to the district network and other technology resources are expected to be careful and aware of suspicious communications and unauthorized use of district devices and the network. When an employee or other user becomes aware of suspicious activity, he/she is to immediately contact the district’s Information Security Officer with the relevant information.
This policy and procedure also covers third party vendors/contractors that contain or have access to Weber School District critically sensitive data. All third party entities will be required to sign the Restriction on Use of Confidential Information Agreement before accessing our systems or receiving information.
It is the policy of Weber School District to fully conform with all federal and state privacy and data governance laws. Including the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 (hereinafter “FERPA”), the Government Records and Management Act U.C.A. §62G-2 (hereinafter “GRAMA”), U.C.A. §53A-1-1401 et seq and Utah Administrative Code R277-487.
Professional development for staff and students regarding the importance of network security and best practices are included in the procedures. The procedures associated with this policy are consistent with guidelines provided by cyber security professionals worldwide and in accordance with Utah Education Network and the Utah State Office of Education. Weber School District supports the development, implementation and ongoing improvements for a robust security system of hardware and software that is designed to protect Weber School District’s data, users, and electronic assets.
3.1.1. Access: Directly or indirectly use, attempt to use, instruct, communicate with, cause input to, cause output from, or otherwise make use of any resources of a computer, computer system, computer network, or any means of communication with any of them.
3.1.2. Authorization: Having the express or implied consent or permission of the owner, or of the person authorized by the owner to give consent or permission to access a computer, computer system, or computer network in a manner not exceeding the consent or permission.
3.1.3. Computer: Any electronic device or communication facility that stores, retrieves, processes, or transmits data.
3.1.4. Computer system: A set of related, connected or unconnected, devices, software, or other related computer equipment.
3.1.5. Computer network: The interconnection of communication or telecommunication lines between: computers; or computers and remote terminals; or the interconnection by wireless technology between: computers; or computers and remote terminals.
3.1.6. Computer property: Includes electronic impulses, electronically produced data, information, financial instruments, software, or programs, in either machine or human readable form, any other tangible or intangible item relating to a computer, computer system, computer network, and copies of any of them.
3.1.7. Confidential: Data, text, or computer property that is protected by a security system that clearly evidences that the owner or custodian intends that it not be available to others without the owner's or custodian's permission.
3.1.8. Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.
3.1.9. Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered protected data
3.1.10. Security system: A computer, computer system, network, or computer property that has some form of access control technology implemented, such as encryption, password protection, other forced authentication, or access control designed to keep out unauthorized persons.
3.1.11. Sensitive data - Data that contains personally identifiable information.
3.1.12. System level – Access to the system that is considered full administrative access. Includes operating system access and hosted application access.
3.2.1. Weber School District shall appoint, in writing, an IT Security Group (ISG) responsible for overseeing District-wide IT security with duties that include development of District policies and adherence to the standards defined in this document.
3.3.1. Weber School District, led by the ISG, shall ensure that all District employees having access to sensitive information undergo annual IT security training which emphasizes their personal responsibility for protecting student and employee information. - Training resources will be provided to all District employees.
3.4.1. Computer Security
22.214.171.124. Weber School District shall ensure that any user’s computer must not be left unattended and unlocked, especially when logged into sensitive systems or data including student or employee information. Automatic log off, locks and password screen savers should be used to enforce this requirement.
126.96.36.199. Weber School District shall ensure that all equipment that contains sensitive information will be secured to deter theft.
3.4.2. Server/Network Room Security
188.8.131.52. Weber School District shall ensure that server rooms and telecommunication rooms/closets are protected by appropriate access control which segregates and restricts access from general school or District office areas. Access control shall be enforced using either keys, electronic card readers, or similar method with only those IT or other staff members having access necessary to perform their job functions are allowed unescorted access.
184.108.40.206. Telecommunication rooms/closets may only remain unlocked or unsecured when because of building design it is impossible to do otherwise or due to environmental problems that require the door to be opened.
3.4.3. Contractor access
220.127.116.11. Before any contractor is allowed access to any computer system, server room, or telecommunication room the contractor will need to present a company issued identification card, and his/her access will need to be confirmed directly by the authorized employee who issued the service request or by Weber School District’s Technology Department.
3.5.1. Network perimeter controls will be implemented to regulate traffic moving between trusted internal (District) resources and external, untrusted (Internet) entities. All network transmission of sensitive data should enforce encryption where technologically feasible.
3.5.2. Network Segmentation
18.104.22.168. Weber School District shall ensure that all untrusted and public access computer networks are separated from main district computer networks and utilize security policies to ensure the integrity of those computer networks.
22.214.171.124. Weber School District will utilize industry standards and current best practices to segment internal computer networks based on the data they contain. This will be done to prevent unauthorized users from accessing services unrelated to their job duties and minimize potential damage from other compromised systems.
3.5.3. Wireless Networks
126.96.36.199. No wireless access point shall be installed on Weber School District’s computer network that does not conform with current network standards as defined by the Network Manager. Any exceptions to this must be approved directly in writing by the Information Security Group.
188.8.131.52. Weber School District shall scan for and remove or disable any rogue wireless devices on a regular basis.
184.108.40.206. All wireless access networks shall conform to current best practices and shall utilize at minimal WPA encryption for any connections. Open access networks are not permitted, except on a temporary basis for events when deemed necessary.
3.5.4. Remote Access
220.127.116.11. Weber School District shall ensure that any remote access with connectivity to the District’s internal network is achieved using the District’s Palo Alto Global VPN service that is protected by multiple factor authentication systems. Any exception to this policy must be due to a service provider’s technical requirements and must be approved by the Information Security Officer.
3.6.1. System and application access will be granted based upon the least amount of access to data and programs required by the user in accordance with a business need-to-have requirement.
18.104.22.168. Weber School District shall enforce strong password management for employees, students, and contractors.
22.214.171.124. Password Creation
126.96.36.199.1. All server system-level passwords must conform to the Password Construction Guidelines posted on the Weber School District Technology Website.
188.8.131.52. Password Protection
184.108.40.206.1. Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential information.
220.127.116.11.2. Passwords must not be inserted into email messages or other forms of electronic communication.
18.104.22.168.3. Passwords must not be revealed over the phone to anyone.
22.214.171.124.4. Do not reveal a password on questionnaires or security forms.
126.96.36.199.5. Do not hint at the format of a password (for example, "my family name").
188.8.131.52.6. Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.
184.108.40.206. Weber School District shall ensure that user access shall be limited to only those specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.
220.127.116.11. Weber School District shall ensure that user access should be granted and/or terminated upon timely receipt, and management’s approval, of a documented access request/termination.
18.104.22.168. Weber School District shall ensure that audit and log files are maintained for at least ninety days for all critical security-relevant events such as: invalid logon attempts, changes to the security policy/ configuration, and failed attempts to access objects by unauthorized users, etc.
3.6.4. Administrative Access Controls
22.214.171.124. Weber School District shall limit IT administrator privileges (operating system, database, and applications) to the minimum number of staff required to perform these sensitive duties.
3.7.1. Monitoring and responding to IT related incidents will be designed to provide early notification of events and rapid response and recovery from internal or external network or system attacks.
3.8.1. To ensure continuous critical IT services, IT will develop a business continuity/disaster recovery plan appropriate for the size and complexity of District IT operations.
3.8.2. Weber School District shall develop and deploy a district-wide business continuity plan which should include as a minimum:
3.9.1. Server and workstation protection software will be deployed to identify and eradicate malicious software attacks such as viruses, spyware, and malware.
3.9.2. Weber School District shall install, distribute, and maintain spyware and virus protection software on all district-owned equipment, i.e. servers, workstations, and laptops.
3.9.3. Weber School District shall ensure that malicious software protection will include frequent update downloads (minimum weekly), frequent scanning (minimum weekly), and that malicious software protection is in active state (real time) on all operating servers/workstations.
3.9.4. Weber School District shall ensure that all security-relevant software patches (workstations and servers) are applied within thirty days and critical patches shall be applied as soon as possible.
3.9.5. All computers must use the District approved anti-virus solution.
3.9.6. Any exceptions to section 3.9 must be approved by the Information Security Officer.
3.10.1. In accordance with Federal and State Law, Weber School District shall filter internet traffic for content defined in law that is deemed harmful to minors.
3.10.2. Weber School District acknowledges that technology based filters are not always effective at eliminating harmful content and due to this, Weber School District uses a combination of technological means and supervisory means to protect students from harmful online content.
3.10.3. In the event that students take devices home, Weber School District will provide a technology based filtering solution for those devices. However, the District will rely on parents to provide the supervision necessary to fully protect students from accessing harmful online content.
3.10.4. Students shall be supervised when accessing the internet and using district owned devices on school property.
3.11.1. Weber School District considers the protection of the data it collects on students, employees and their families to be of the utmost importance.
3.11.2. Weber School District protects student data in compliance with the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 ( “FERPA”), the Government Records and Management Act U.C.A. §62G-2 ( “GRAMA”), U.C.A. §53A-1-1401 et seq, 15 U.S. Code §§ 6501–6506 (“COPPA”) and Utah Administrative Code R277-487 (“Student Data Protection Act”).
3.11.3. Weber School District shall ensure that employee records access shall be limited to only those individuals who have specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.
3.12.1. Weber School District shall perform routine security and privacy audits in congruence with the District’s Information Security Audit Plan.
3.12.2. District personnel shall develop remediation plans to address identified lapses that conforms with the District’s Information Security Remediation Plan Template.
3.13.1 Employee Disciplinary Actions shall be in accordance with applicable laws, regulations and District policies. Any employee found to be in violation may be subject to disciplinary action up to and including termination of employment with the Weber School District.