Displaying items by tag: student data privacy

Monday, 13 November 2017 10:26

Data Governance Plan

LEA Data Governance Plan

1. Governing Principles

Weber School District (referred to as the LEA throughout) takes its responsibility toward student data seriously. This governance plan incorporates the following Generally Accepted Information Principles (GAIP):

  • Risk: There is risk associated with data and content. The risk must be formally recognized, either as a liability or through incurring costs to manage and reduce the inherent risk.
  • Due Diligence: If a risk is known, it must be reported. If a risk is possible, it must be confirmed.
  • Audit: The accuracy of data and content is subject to periodic audit by an independent body.
  • Accountability: An organization must identify parties which are ultimately responsible for data and content assets.
  • Liability: The risks in information means there is a financial liability inherent in all data or content that is based on regulatory and ethical misuse or mismanagement.

2. Data Maintenance and Protection Policy

The LEA recognizes that there is risk and liability in maintaining student data and other education-related data and will incorporate reasonable data industry best practices to mitigate this risk.

2.1 Process

In accordance with R277-487, the LEA shall do the following:

  • Designate an individual as an Information Security Officer
  • Adopt the CIS Controls or comparable
  • Report to the USBE by October 1 each year regarding the status of the adoption of the CIS controls or comparable and future plans for improvement.

 

3. Roles and Responsibilities Policy

The LEA acknowledges the need to identify parties who are ultimately responsible and accountable for data and content assets. These individuals and their responsibilities are as follows:

3.1 Data Manager roles and responsibilities

  • authorize and manage the sharing, outside of the student data manager's education entity, of personally identifiable student data for the education entity as described in this section
  • provide for necessary technical assistance, training, and support
  • act as the primary local point of contact for the state student data officer
  • ensure that the following notices are available to parents:

3.2 Information Security Officer

  • Oversee adoption of the CIS controls
  • Provide for necessary technical assistance, training, and support as it relates to IT security

4. Training and Support Policy

The LEA recognizes that training and supporting educators and staff regarding federal and state data privacy laws is a necessary control to ensure legal compliance.

4.1 Procedure

  1. The data manager will ensure that educators who have access to student records will receive an annual training on confidentiality of student data to all employees with access to student data. The content of this training will be based on the Data Sharing Policy.
  2. By October 1 each year, the data manager will report to USBE the completion status of the annual confidentiality training and provide a copy of the training materials used.
  3. The data manager shall keep a list of all employees who are authorized to access student education records after having completed a training that meets the requirements of 53E-9-204.
  4. Training will be provided via MyStudent and will be a requirement to access student records from that program and any others that contain student information.

 

5. Audit Policy

In accordance with the risk management priorities of the LEA, the LEA will conduct an audit of:

  • The effectiveness of the controls used to follow this data governance plan; and
  • Third-party contractors, as permitted by the contract described in 53E-9-309(2).

6. Data Sharing Policy

There is a risk of redisclosure whenever student data are shared. The LEA shall follow appropriate controls to mitigate the risk of redisclosure and to ensure compliance with federal and state law.

6.1 Procedure

  1. The data manager shall approve all data sharing or designate other individuals who have been trained on compliance requirements with FERPA.
  2. Utah DPA as listed on the website will be the main source of vendor approval. It lists those who are approved, denied, or in the process of being vetted.
  3. Teachers can only release student information after the approval process has been completed and the vendor is listed on the Utah DPA website.
    1. Teachers and Staff will submit the website/app to their Administrator
    2. If it is approved by their Administrator, then it will be submitted to the Student Data Security Manager (SDSM)
    3. The SDSM will go through the privacy policy and terms of service of each submitted website
    4. The SDSM will also view all security protocols listed for the website, including login security.
    5. If the website is secure, then it will be turned over to the Curriculum Department.
    6. The Curriculum Department will go through all websites and determine if they are aligned with curriculum and if similar websites are already being used in the district
    7. Once the website/app is approved by the Curriculum Department, it will be routed back to the SDSM
    8. The SDSM will then send the company a personalized Contract for signature
    9. When the Contract is signed and returned to the SDSM, one of two things will happen:
      1. The website will be added to the approved list.
      2. The website will be turned over to development for login sync with district servers and then added to the approved list
  1. For external research, the data manager shall ensure that the study follows the requirements of FERPA’s study exception described in 34 CFR 99.31(a)(6).
  2. After sharing from student records, the data manager shall ensure that an entry is made in the LEA Metadata Dictionary to record that the exchange happened.
  3. After sharing from student records, the data manager shall make a note in the student record of the exchange in accordance with 34 CFR 99.32.

7. Expungement Request Policy

The LEA recognizes the risk associated with data following a student year after year that could be used to mistreat the student. The LEA shall review all requests for records expungement from parents and make a determination based on the following procedure.

7.1 Procedure

The following records may not be expunged: grades, transcripts, a record of the student’s enrollment, assessment information.

The procedure for expungement shall match the record amendment procedure found in 34 CFR 99, Subpart C of FERPA.

  1. If a parent believes that a record is misleading, inaccurate, or in violation of the student’s privacy, they may request that the record be expunged.
  2. The LEA shall decide whether to expunge the data within a reasonable time after the request.
  3. If the LEA decides not to expunge the record, they will inform the parent of their decision as well as the right to an appeal hearing.
  4. The LEA shall hold the hearing within a reasonable time after receiving the request for a hearing.
  5. The LEA shall provide the parent notice of the date, time, and place in advance of the hearing.
  6. The hearing shall be conducted by any individual that does not have a direct interest in the outcome of the hearing.
  7. The LEA shall give the parent a full and fair opportunity to present relevant evidence. At the parents’ expense and choice, they may be represented by an individual of their choice, including an attorney.
  8. The LEA shall make its decision in writing within a reasonable time following the hearing.
  9. The decision must be based exclusively on evidence presented at the hearing and include a summary of the evidence and reasons for the decision.
  10. If the decision is to expunge the record, the LEA will seal it or make it otherwise unavailable to other staff and educators.

8. Data Breach Response Policy

The LEA shall follow industry best practices to protect information and data. In the event of a data breach or inadvertent disclosure of personally identifiable information, the LEA staff shall follow industry best practices for responding to the breach.

8.1 Procedures

  1. The Data Manager will work with the information security officer to designate individuals to be members of the cyber incident response team (CIRT)
  2. At the beginning of an investigation, the information security officer will begin tracking the incident and log all information and evidence related to the investigation.
  3. The information security officer will call the CIRT into action once there is reasonable evidence that an incident or breach has occurred.
  4. The information security officer will coordinate with other IT staff to determine the root cause of the breach and close the breach.
  5. The CIRT will coordinate with legal counsel to determine if the incident is meets the legal definition of a significant breach as defined in R277-487 and determine which entities and individuals need to be notified.
  6. If law enforcement is notified and begins an investigation, the CIRT will consult with them before notifying parents or the public so as to not interfere with the law enforcement investigation.

9. Publication Policy

The LEA recognizes the importance of transparency and will post this policy on the LEA website.

Tuesday, 07 November 2017 12:33

IT Security Plan

1. Purpose

The purpose of this policy is to ensure the secure use and handling of all district data, computer systems and computer equipment by District students, patrons, and employees.

2. Policy

2.1 Technology Security                                                                                               

It is the policy of the Weber School District to support secure network systems in the district, including security for all personally identifiable information that is stored on paper or stored digitally on district-maintained computers and networks. This policy supports efforts to mitigate threats that may cause harm to the district, its students, or its employees.

The district will ensure reasonable efforts will be made to maintain network security. Data loss can be caused by human error, hardware malfunction, natural disaster, security breach, etc., and may not be preventable.

All persons who are granted access to the district network and other technology resources are expected to be careful and aware of suspicious communications and unauthorized use of district devices and the network. When an employee or other user becomes aware of suspicious activity, he/she is to immediately contact the district’s Information Security Officer with the relevant information.

This policy and procedure also covers third party vendors/contractors that contain or have access to Weber School District critically sensitive data. All third party entities will be required to sign the Restriction on Use of Confidential Information Agreement before accessing our systems or receiving information.

It is the policy of Weber School District to fully conform with all federal and state privacy and data governance laws.  Including the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 (hereinafter “FERPA”), the Government Records and Management Act U.C.A. §62G-2 (hereinafter “GRAMA”), U.C.A. §53A-1-1401 et seq and Utah Administrative Code R277-487.

Professional development for staff and students regarding the importance of network security and best practices are included in the procedures. The procedures associated with this policy are consistent with guidelines provided by cyber security professionals worldwide and in accordance with Utah Education Network and the Utah State Office of Education. Weber School District supports the development, implementation and ongoing improvements for a robust security system of hardware and software that is designed to protect Weber School District’s data, users, and electronic assets.

3. Procedure

3.1. Definitions:

3.1.1.  Access: Directly or indirectly use, attempt to use, instruct, communicate with, cause input to, cause output from, or otherwise make use of any resources of a computer, computer system, computer network, or any means of communication with any of them.

3.1.2. Authorization: Having the express or implied consent or permission of the owner, or of the person authorized by the owner to give consent or permission to access a computer, computer system, or computer network in a manner not exceeding the consent or permission.

3.1.3. Computer: Any electronic device or communication facility that stores, retrieves, processes, or transmits data.

3.1.4. Computer system: A set of related, connected or unconnected, devices, software, or other related computer equipment.

3.1.5. Computer network: The interconnection of communication or telecommunication lines between: computers; or computers and remote terminals; or the interconnection by wireless technology between: computers; or computers and remote terminals.

3.1.6. Computer property: Includes electronic impulses, electronically produced data, information, financial instruments, software, or programs, in either machine or human readable form, any other tangible or intangible item relating to a computer, computer system, computer network, and copies of any of them.

3.1.7. Confidential: Data, text, or computer property that is protected by a security system that clearly evidences that the owner or custodian intends that it not be available to others without the owner's or custodian's permission.

3.1.8. Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.

3.1.9. Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered protected data

3.1.10. Security system: A computer, computer system, network, or computer property that has some form of access control technology implemented, such as encryption, password protection, other forced authentication, or access control designed to keep out unauthorized persons.

3.1.11. Sensitive data - Data that contains personally identifiable information.

3.1.12. System level – Access to the system that is considered full administrative access.  Includes operating system access and hosted application access.

3.2. Security Responsibility

3.2.1. Weber School District shall appoint, in writing, an IT Security Group (ISG) responsible for overseeing District-wide IT security with duties that include development of District policies and adherence to the standards defined in this document.

3.3. Training

3.3.1. Weber School District, led by the ISG, shall ensure that all District employees having access to sensitive information undergo annual IT security training which emphasizes their personal responsibility for protecting student and employee information. - Training resources will be provided to all District employees.

3.4. Physical Security

3.4.1. Computer Security

3.4.1.1. Weber School District shall ensure that any user’s computer must not be left unattended and unlocked, especially when logged into sensitive systems or data including student or employee information. Automatic log off, locks and password screen savers should be used to enforce this requirement.

3.4.1.2. Weber School District shall ensure that all equipment that contains sensitive information will be secured to deter theft.

3.4.2. Server/Network Room Security

3.4.2.1. Weber School District shall ensure that server rooms and telecommunication rooms/closets are protected by appropriate access control which segregates and restricts access from general school or District office areas. Access control shall be enforced using either keys, electronic card readers, or similar method with only those IT or other staff members having access necessary to perform their job functions are allowed unescorted access.

3.4.2.2. Telecommunication rooms/closets may only remain unlocked or unsecured when because of building design it is impossible to do otherwise or due to environmental problems that require the door to be opened.

3.4.3. Contractor access

3.4.3.1. Before any contractor is allowed access to any computer system, server room, or telecommunication room the contractor will need to present a company issued identification card, and his/her access will need to be confirmed directly by the authorized employee who issued the service request or by Weber School District’s Technology Department. 

3.5. Network Security

3.5.1. Network perimeter controls will be implemented to regulate traffic moving between trusted internal (District) resources and external, untrusted (Internet) entities. All network transmission of sensitive data should enforce encryption where technologically feasible.

3.5.2. Network Segmentation

3.5.2.1. Weber School District shall ensure that all untrusted and public access computer networks are separated from main district computer networks and utilize security policies to ensure the integrity of those computer networks.

3.5.2.2. Weber School District will utilize industry standards and current best practices to segment internal computer networks based on the data they contain. This will be done to prevent unauthorized users from accessing services unrelated to their job duties and minimize potential damage from other compromised systems.

3.5.3. Wireless Networks

3.5.3.1. No wireless access point shall be installed on Weber School District’s computer network that does not conform with current network standards as defined by the Network Manager.  Any exceptions to this must be approved directly in writing by the Information Security Group.

3.5.3.2. Weber School District shall scan for and remove or disable any rogue wireless devices on a regular basis.

3.5.3.3. All wireless access networks shall conform to current best practices and shall utilize at minimal WPA encryption for any connections.  Open access networks are not permitted, except on a temporary basis for events when deemed necessary.

3.5.4. Remote Access

3.5.4.1. Weber School District shall ensure that any remote access with connectivity to the District’s internal network is achieved using the District’s Palo Alto Global VPN service that is protected by multiple factor authentication systems.  Any exception to this policy must be due to a service provider’s technical requirements and must be approved by the Information Security Officer.

3.6. Access Control

3.6.1. System and application access will be granted based upon the least amount of access to data and programs required by the user in accordance with a business need-to-have requirement.

3.6.2. Authentication

3.6.2.1. Weber School District shall enforce strong password management for employees, students, and contractors. 

3.6.2.2. Password Creation

3.6.2.2.1. All server system-level passwords must conform to the Password Construction Guidelines posted on the Weber School District Technology Website.

3.6.2.3. Password Protection

3.6.2.3.1. Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential information.

3.6.2.3.2. Passwords must not be inserted into email messages or other forms of electronic communication.

3.6.2.3.3. Passwords must not be revealed over the phone to anyone.

3.6.2.3.4. Do not reveal a password on questionnaires or security forms.

3.6.2.3.5. Do not hint at the format of a password (for example, "my family name"). 

3.6.2.3.6. Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.

3.6.2. Authorization

3.6.2.1. Weber School District shall ensure that user access shall be limited to only those specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.

3.6.2.2. Weber School District shall ensure that user access should be granted and/or terminated upon timely receipt, and management’s approval, of a documented access request/termination.

3.6.3. Accounting

3.6.3.1. Weber School District shall ensure that audit and log files are maintained for at least ninety days for all critical security-relevant events such as: invalid logon attempts, changes to the security policy/ configuration, and failed attempts to access objects by unauthorized users, etc.

3.6.4. Administrative Access Controls

3.6.4.1. Weber School District shall limit IT administrator privileges (operating system, database, and applications) to the minimum number of staff required to perform these sensitive duties.

3.7. Incident Management

3.7.1. Monitoring and responding to IT related incidents will be designed to provide early notification of events and rapid response and recovery from internal or external network or system attacks.

3.8. Business Continuity

3.8.1. To ensure continuous critical IT services, IT will develop a business continuity/disaster recovery plan appropriate for the size and complexity of District IT operations.

3.8.2. Weber School District shall develop and deploy a district-wide business continuity plan which should include as a minimum:

  • Backup Data: Procedures for performing routine daily/weekly/monthly backups and storing backup media at a secured location other than the server room or adjacent facilities. As a minimum, backup media must be stored off-site a reasonably safe distance from the primary server room.
  • Secondary Locations: Identify a backup processing location, such as another School or District building.
  • Emergency Procedures: Document a calling tree with emergency actions to include: recovery of backup data, restoration of processing at the secondary location, and generation of student and employee listings for ensuing a full head count of all.

3.9. Malicious Software

3.9.1. Server and workstation protection software will be deployed to identify and eradicate malicious software attacks such as viruses, spyware, and malware.

3.9.2. Weber School District shall install, distribute, and maintain spyware and virus protection software on all district-owned equipment, i.e. servers, workstations, and laptops. 

3.9.3. Weber School District shall ensure that malicious software protection will include frequent update downloads (minimum weekly), frequent scanning (minimum weekly), and that malicious software protection is in active state (real time) on all operating servers/workstations.

3.9.4. Weber School District shall ensure that all security-relevant software patches (workstations and servers) are applied within thirty days and critical patches shall be applied as soon as possible.

3.9.5. All computers must use the District approved anti-virus solution.

3.9.6. Any exceptions to section 3.9 must be approved by the Information Security Officer.

3.10. Internet Content Filtering

3.10.1. In accordance with Federal and State Law, Weber School District shall filter internet traffic for content defined in law that is deemed harmful to minors.

3.10.2. Weber School District acknowledges that technology based filters are not always effective at eliminating harmful content and due to this, Weber School District uses a combination of technological means and supervisory means to protect students from harmful online content.

3.10.3. In the event that students take devices home, Weber School District will provide a technology based filtering solution for those devices.  However, the District will rely on parents to provide the supervision necessary to fully protect students from accessing harmful online content.

3.10.4. Students shall be supervised when accessing the internet and using district owned devices on school property.

3.11. Data Privacy

3.11.1. Weber School District considers the protection of the data it collects on students, employees and their families to be of the utmost importance.

3.11.2. Weber School District protects student data in compliance with the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 ( “FERPA”), the Government Records and Management Act  U.C.A. §62G-2 ( “GRAMA”), U.C.A. §53A-1-1401 et seq, 15 U.S. Code §§ 6501–6506 (“COPPA”) and Utah Administrative Code R277-487 (“Student Data Protection Act”).

3.11.3. Weber School District shall ensure that employee records access shall be limited to only those individuals who have specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.

3.12. Security Audit and Remediation

3.12.1. Weber School District shall perform routine security and privacy audits in congruence with the District’s Information Security Audit Plan.

3.12.2. District personnel shall develop remediation plans to address identified lapses that conforms with the District’s Information Security Remediation Plan Template.

3.13. Disciplinary Actions

3.13.1 Employee Disciplinary Actions shall be in accordance with applicable laws, regulations and District policies.  Any employee found to be in violation may be subject to disciplinary action up to and including termination of employment with the Weber School District.