Monday, 13 November 2017 10:26

Data Governance Plan

Written by
Rate this item
(0 votes)

CONTENTS

  • INTRODUCTION
  • PURPOSE 
  • SCOPE 
  • REGULATORY COMPLIANCE 
  • RISK MANAGEMENT/ANALYSIS 
  • STUDENT DATA AS IT PERTAINS TO DESKTOPS/LAPTOPS/MOBILE DEVICES 
  • DATA CLASSIFICATION 
  • SYSTEMS AND INFORMATION CONTROL 
  • DISCLOSURE 
  • COMPLIANCE 
  • REQUESTING THIRD-PARTY CONTRACTOR MEMORANDUM OF AGREEMENT 
  • STUDENT DIRECTORY INFORMATION 
  • STUDENT RECORD RETENTION 
  • THIRD PARTY VENDOR REQUIREMENTS (HB 358 53A-1-1410:639)
  • PARENTAL NOTIFICATION OF INCIDENTS AND THREATS (HB 358 53A-11A-203:733) 
  • DELETING AND MAINTAINING STUDENT RECORDS (HB 358 53A-1-1407) 
  • APPROVAL AND REVIEW DETAILS 
  • APPENDIX A (Physical and Security Controls Procedures) 
  • APPENDIX B (Password Control Standards) 
  • APPENDIX C (Purchasing and Disposal Procedures) 
  • APPENDIX D (Memorandum of Agreement)

Data Governance Committee

  • Dr. Jeff Stephens, Superintendent
  • Lynn O. Raymond, Director of Technology / Data Security Officer
  • Nick Harris, Technology Supervisor
  • Tanya N. Miller, Student Data Security Manager
  • Heidi Alder, Legal Counsel

 

  • INTRODUCTION

Protecting our students’ privacy is an important priority, and Weber School District (“District”) is committed to maintaining strong and meaningful privacy and security protections. It is the policy of the District that data or information in all its forms--written, electronic, or printed--is protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle.  This protection includes an appropriate level of security over the equipment, software, and practices used to process, store, and transmit data or information.

 

The Data Governance Plan (“Plan”) formally outlines how operational and instructional activity shall be carried out to ensure the District’s student data is accurate, accessible, consistent, and protected. The Plan establishes who is responsible for information under various circumstances and specifies what procedures shall be used to manage and protect it.

 

The Plan shall be a living document.   It is reviewed annually, along with the Weber School District Data Protection Policy.    The Plan and all modifications shall be posted on the District’s website.

  • PURPOSE

 

    1. Incorporate reasonable data industry best practices to maintain and protect student data and other education-related data;
    2. Provide for necessary technical assistance, training, support, and auditing;
    3. Describes the process for sharing student data between an education entity and another person;
    4. Describes the process for an adult student or parent to request that data be expunged;
    5. To define data classification and related safeguards. Applicable federal and state statutes and regulations that guarantee either protection or accessibility of student data, found in student records, will be used in the classification process.
    6. To provide a list of relevant considerations for the District’s personnel responsible for purchasing or subscribing to software that will utilize and/or expose student data.
    7. Provide a structured and consistent process for employees to obtain necessary data access for conducting the District’s operations.
  • SCOPE

 

The District is authorized to establish, implement, and maintain data and information security measures.  Weber District Data Protection Policy and this Plan apply to all students and employees of the district, contractual third parties, visitors, contract workers, and agents of the district, and volunteers who have access to district data systems or data. The Policy and this Plan also  applies to all forms of education data owned and maintained by  the District , including but not limited to:

  • Communicated by phone or any current and future technologies
  • Hard copy data printed or written
  • Cumulative records, as defined in the Utah Code 53A-1-1402 (7) that is sent by post/courier, fax, electronic mail, text, and/or chat
  • Data stored and/or processed by PCs, laptops, servers, tablets, mobile devices, etc
  • Data stored on any type of internal, external, or removable media or cloud based services
  • REGULATORY COMPLIANCE

 

  The District  complies with all applicable regulatory acts, including but not limited to the following:

  • Children’s Internet Protection Act (CIPA)
  • Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. §6501 – 6506)
  • Family Educational Rights and Privacy Act (FERPA) (20 U.S.C.§1232g; 34 CFR Part 99)
  • Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. §1320d; )
  • Protection of Pupil Rights Amendment (PPRA) (20 U.S.C. §1232h; 34 CFR Part 98)
  • Student Data Protection Act  (Utah Code 53A-1, Part 14)
  • Utah FERPA and recent amendments (Utah Code 53A-13, Part 3)
  • RISK MANAGEMENT/ANALYSIS

 

    1. A thorough risk analysis of all the District’s ’s data networks, systems, policies, and procedures shall be conducted on an annual basis or as requested by the Superintendent or Technology Director.  The risk assessment shall be used as a basis for a plan to mitigate identified threats and risk to an acceptable level.
    2. The Data Security Officer administers periodic risk assessments to identify, quantify, and prioritize risks.  Based on the periodic assessment, measures will be implemented that mitigate the threats by reducing the amount and scope of the vulnerabilities.
  • STUDENT DATA AS IT PERTAINS TO DESKTOPS/LAPTOPS/MOBILE DEVICES

    1. Firewalls and antivirus software must be installed on all desktops, laptops and workstations that access or store sensitive information, and a procedure must be implemented to ensure that critical operating system security patches are applied in a timely manner.
    2. Storage of sensitive information on laptops, mobile devices, and devices that are not used or configured to operate as servers is prohibited, unless such information is encrypted in a Technology Department-approved encryption format.
    3. The user responsible for the device shall take proper care to isolate and protect files containing student data from inadvertent or unauthorized access.
    4. Assistance with securing sensitive information may be obtained from school-level Technicians with input from the Technology Department, as necessary.
  • DATA CLASSIFICATION

Classification is used to promote proper controls for safeguarding the confidentiality of data. Regardless of classification, the integrity and accuracy of all classifications of data are protected. The classification assigned and the related controls applied are dependent on the sensitivity of the data. Data are classified according to the most sensitive detail they include. Data recorded in several formats (e.g., source document, electronic record, report) have the same classification regardless of format.

    1. “Necessary student data” means data required by state statute or federal law to conduct the regular activities of an education entity, including:
      1. name;
      2. date of birth;
      3. sex;
      4. parent contact information;
      5. custodial parent information;
      6. contact information;
      7. a student identification number;
      8. local, state, and national assessment results or an exception from taking a local, state, or national assessment;
      9. courses taken and completed, credits earned, and other transcript information;
      10. course grades and grade point average;
      11. grade level and expected graduation date or graduation cohort;
      12. degree, diploma, credential attainment, and other school exit information;
      13. attendance and mobility;
      14. drop-out data;
      15. immunization record or an exception from an immunization record;
      16. race;
      17. ethnicity;
      18. tribal affiliation;
      19. remediation efforts;
      20. an exception from a vision screening required under Section 53A-11-203 or information collected from a vision screening required under Section 53A-11-203;
      21. information related to the Utah Registry of Autism and Developmental Disabilities, described in Section 26-7-4;
      22. student injury information;
      23. a cumulative disciplinary record created and maintained as described in Section 53A-1-1407;
      24. juvenile delinquency records;
      25. English language learner status; and
      26. child find and special education evaluation data related to initiation of an IEP.
    2. “Optional student data” means student data that is not:
      1. necessary student data; or
      2. student data that an education entity may not collect under Section 53A-1-1406.
      3. “Optional student data” includes:
        1. information that is:
          1. related to an IEP or needed to provide special needs services; and
          2. not necessary student data;
        2. biometric information; and
        3. information that is not necessary student data and that is required for a student to participate in a federal or other program.
    3. “Personally identifiable student data” includes:
        1. a student's first and last name;
        2. the first and last name of a student's family member;
        3. a student's or a student's family's home or physical address;
        4. a student's email address or other online contact information;
        5. a student's telephone number;
        6. a student's social security number;
        7. a student's biometric identifier;
        8. a student's health or disability data;
        9. a student's education entity student identification number;
        10. a student's social media username and password or alias;
        11. if associated with personally identifiable student data, the student's persistent
        12. identifier, including:
        13. a customer number held in a cookie; or
        14. a processor serial number;
        15. a combination of a student's last name or photograph with other information that
        16. together permits a person to contact the student online;
        17. information about a student or a student's family that a person collects online and
        18. combines with other personally identifiable student data to identify the student; and
        19. other information that is linked to a specific student that would allow a
        20. reasonable person in the school community, who does not have first-hand knowledge of the student, to identify the student with reasonable certainty.
    4. “Biometric information” means information, regardless of how the information is collected, converted, stored, or shared:
      1. based on an individual's biometric identifier; and
      2. used to identify the individual.
  • SYSTEMS AND INFORMATION CONTROL

Any computer, laptop, mobile device, printing and/or scanning device, network appliance/equipment, AV equipment, server, internal or external storage, communication device or any other current or future electronic or technological device may be referred to as Weber District “systems”.  All involved systems and student data maintained on these systems are assets of the District’s   and shall be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.

 

    1. Ownership of Software: All computer software developed by the District’s  employees or contract personnel on behalf of  the District’s  , and all software licensed or purchased for  the District’s  use is the property of  the District  and shall not be copied for use at home or any other location, unless otherwise specified by the license agreement.
    2. Software Installation and Use: All software packages that reside on technological systems within or used by the District  shall comply with applicable licensing agreements and restrictions and shall comply with  the District’s ’ acquisition of software procedures.
    3. Virus, Malware, Spyware, Phishing and SPAM Protection: Virus checking systems and software approved by the District Technology Department are deployed using a multi-layered approach (computers, servers, gateways, firewalls, filters, etc.) that ensures all electronic files are appropriately scanned for viruses, malware, spyware, phishing and SPAM. Users shall not to turn off or disable Weber School District’ protection software.
    4. Access Controls: Physical and electronic access to student data on District systems (Student Information System or SIS) that contain student data as defined in Utah Code 53A-1-1402.  To ensure appropriate levels of access by District employees, contracted workers, volunteers, and other agents of the District, a variety of security measures are instituted as recommended by the Data Security Officer and approved by the District .  In particular, the Data Security Officer shall document roles and rights to the SIS and other like systems.  Mechanisms to control access to Personally Identifiable Student Data and computing resources include, but are not limited to, the following methods: 
      1. Authorization: Access shall be granted on a “need to know” basis and shall be authorized by the superintendent, principal, immediate supervisor, or Data Security Manager with the assistance of the Technology Director.  Specifically, on a case-by-case basis, permissions may be added in to those already held by individual users in the SIS, again on a need-to-know basis and only in order to fulfil specific job responsibilities, with approval of the Data Security Officer.  The principle of least privilege will be adopted to ensure no employee has access beyond what they need to fulfil their daily duties.
        1. All schools or other District facilities are responsible for the student data they create, update, and/or delete.
        2. Any individual granted access to student data is responsible for the ethical usage of that data. Access will be granted only in accordance with the authority delegated to the individual to conduct the District’s   operations.
        3. It is the express responsibility of authorized users to safeguard the data they are entrusted with, ensuring compliance with all aspects of this Plan.
        4. These security measures apply to student data regardless of location.
        5. The Superintendent and/or his designees shall determine appropriate access permissions based on local policies, applicable laws, best practices, and the Utah Student Data Protection Act.
      2. Identification/Authentication: Unique user identification (user ID) and authentication are required for all systems that maintain or access student data. Users shall be held accountable for all actions performed on the system with their User ID.  User accounts and passwords shall NOT be shared.
      3. Data Integrity: The District provides safeguards so student data is not altered or destroyed in an unauthorized manner. Core data is backed up to a private cloud for disaster recovery.  In addition, listed below are methods that are used for data integrity in various circumstances:
  • Transaction audit
  • Core data private cloud backup
  • Disk redundancy (RAID)
  • ECC (Error Correcting Memory)
  • Checksums (file integrity)
  • Data encryption
  • Data wipes
      1. Transmission Security: Technical security mechanisms are in place to guard against unauthorized access to data that are transmitted over a communications network, including wireless networks. The following features are implemented:
  • Integrity controls
  • Encryption, where deemed appropriate

Note: Only WSD district-supported email accounts shall be used for communications to and from school employees, to and from parents or other community members, to and from other educational agencies, to and from vendors or other associations, and to and from students for school business.

      1. Remote Access: Access into the District’s ’ network from outside is allowed using the Palo Alto Global Protect VPN.  All other network access options are strictly prohibited without explicit authorization from the Technology Director.  Further, student data that is stored or accessed remotely shall maintain the same level of protections as information stored and accessed within the District’s network.  Student data shall only be stored in cloud storage if said storage has been approved by the Technology Director.
      2. Physical and Electronic Access and Security: Access to areas in which information processing is carried out shall be restricted to only appropriately authorized individuals.  At a minimum, staff passwords shall be changed annually.
  • All student data shall be stored on servers/computers which are subject to network/workstation controls and permissions. It shall not be stored on portable media that cannot be subjected to password, encryption, or other protections.  No technological systems that may contain information as defined above shall be disposed of or moved without adhering to the appropriate disposal of electronic equipment procedures. 
  • It is the responsibility of the user to not leave these devices logged in, unattended, and open to unauthorized use.
  • Servers storing sensitive information shall be operated by professional network system administrators, in compliance with all Technology Department security and administration standards and policies, and shall remain under the oversight of Technology Department managers and physically located in the Technology Department’s data center.
  • All servers containing system data will be located in the secured data center with limited access.
  • District staff who must print reports containing student data shall take responsibility for keeping this material in a secure location – vault, locked file cabinet, etc. In addition, all printed material containing student data shall be shredded when no longer in use.
  • Network and Computer Access Permissions
        1. The Director of Technology and Network Administrator shall be responsible for implementing network protection measures that prevent unauthorized intrusions, damage, and access to all storage and transport mediums; including, but not limited to:
          1. Maintaining firewall protection access to the network and/or workstations.
          2. Protecting the network from unauthorized access through wireless devices or tapping of wired media, including establishing ‘guest’ wireless networks with limited network permissions.
          3. Implementing virus and malware security measures throughout the network and on all portable computers.
          4. Applying all appropriate security patches.
          5. Establishing and maintaining password policies and controls on access to the network, workstations, and other data depositories.
        2. The Director of Technology and Network Administrator will apply protection measures that include:
          1. Categorizing and/or re-classifying data elements and views.
          2. Granting selective access to District systems and software and student data contained therein.
          3. Documenting any deviation from mandatory requirements and implementing adequate compensating control(s).
          4. Conducting periodic access control assessments of any sensitive information devices or services.
  • Data Transfer/Exchange/Printing
      1. Electronic Mass Data Transfers: Downloading, uploading or transferring student data between systems shall be strictly controlled. Requests for mass download of, or individual requests for, information for research or any other purposes that include student data shall be in accordance with this policy and be approved by the data security officer. All other mass downloads of information shall be approved by the data security officer and include only the minimum amount of information necessary to fulfil the request. A Memorandum of Agreement (MOA) shall be in place when transferring student data to external entities such as software or application vendors, textbook companies, testing companies, or any other web based application.
      2. Other Electronic Transfers and Printing: Student data shall be stored in a manner inaccessible to unauthorized individuals. Student data shall not be downloaded, copied or printed indiscriminately or left unattended and open to compromise. Student data that is downloaded for educational purposes where possible shall be de-identified before use.
    1. Oral Communications: The District  staff shall be aware of their surroundings when discussing student data.  This includes but is not limited to the use of cellular telephones in public areas.  ’ staff shall not discuss student data in public areas if the information can be overheard.  Caution shall be used when conducting conversations in:  semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.

Audit Controls: Hardware, software, services and/or procedural mechanisms that record and examine activity in information systems that contain or use student data are reviewed by the Data Security Officer annually.  Further, the Data Security Officer also regularly reviews records of information system activity, such as audit logs, access reports, and security incident tracking reports.  These reviews shall be documented and maintained for six (6) years.  

    1. Evaluation: The District   requires that periodic technical and non-technical evaluations of access controls, storage, and other systems be performed in response to environmental or operational changes affecting the security of electronic student data to ensure its continued protection.
    2. IT Disaster Recovery: Controls shall ensure that  the District  can recover from any damage to critical systems, data, or information within a reasonable period of time. Each school, department, or individual is required to report any instances immediately to the Superintendent and Technology Director for response to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages data or systems.  The IT Disaster Plan shall include the following:
  • A prioritized list of critical services, data, and contacts
  • A process enabling the District  to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure
  • A process enabling the District  to continue to operate in the event of a fire, vandalism, natural disaster, or system failure
  • Procedures for periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary
  • DISCLOSURE

    1. Roles and Responsibility of Student Data Manager
      1. Will act as main point of contact for the Utah State Board of Education Student Data Officer
      2. Will not share, outside of  the District, student data without authorization
      3. May share student data with the student or legal guardian (HB 358 53A-1-1409:584)
      4. May share a student’s data from a cumulative record with:
        1. A school official
        2. An authorized caseworker or other representative of the Department of Human Services
          1. if the Department of Human Services is legally responsible for the care and protection of the student or
          2. is providing services to the student
          3. a person to whom the District   has outsourced a service or function
      5. May share aggregate data if:
        1. The Student Data Manager receives a request for the purpose of external research or evaluation and the following steps have been taken
          1. Submit the request to  the District research review process
          2. Fulfil the instructions that result from the research review process
        2. May share student data in response to a subpoena issued by a court (HB 358 53A-1-1409:623)
    2. The Department of Human Services, Weber School District Officials, the Utah Juvenile Court may share education information, including student data, to improve education outcomes for youth if:
      1. They are in the custody of, or guardianship of, the Department of Human Services
      2. Is receiving services from the Division of Juvenile Justice Services
      3. Is in custody of the Division of Child and Family Services
      4. Is receiving services from the Division of Services for People with Disabilities
      5. They are under the jurisdiction of the Utah Juvenile Court (HB 358 53A-1-1409:615)
  • COMPLIANCE

    1. Possible disciplinary/corrective action may be instituted for, but is not limited to, the following:
  • Unauthorized disclosure of student data
  • Unauthorized disclosure of login information (Username and Password)
  • An attempt to obtain login credentials that belong to another person
  • An attempt to use another person’s login credentials
  • Installation or use of unlicensed software on the District technological systems
  • The intentional unauthorized altering, destruction, or disposal of  District’s  information, data and/or systems.  This includes the unauthorized removal from the District of technological systems such as but not limited to laptops, internal or external storage, computers, servers, backups or other media, copiers, etc. that contain student data.
  • An attempt to gain access to log-in codes for purposes other than for support by authorized technology staff, including the completion of fraudulent documentation to gain access.
  • REQUESTING THIRD-PARTY CONTRACTOR MEMORANDUM OF AGREEMENT

    1. Prior to using any tools, programs, websites, software, material, (collectively referred to as “contractor tools”) from a third-party contractor, employees will take the following steps:
      1. The employee must contact their principal or administrator.
      2. The administrator will contact the Student Data Manager (Tanya Miller).
      3. The Student Data Manager will work with the contractor to ensure it is in compliance with the Student Data Protection Policy and this Plan.
      4. The Student Data Manager will then inform the Data Security Officer (Lynn Raymond) of the request..
      5. Once a decision has been made regarding the use of contractor tools, the Student Data Manager will inform the principal and/or administrator of the decision.
      6. If the Student Data Manager approves of the use of the contractor tools, the contractor must enter into the district’s Third Party Contractor Memorandum of Agreement.
  • STUDENT DIRECTORY INFORMATION

    1. The Family Educational Rights and Privacy Act (FERPA), a Federal law, requires that the District , with certain exceptions, obtain written consent prior to the disclosure of personally identifiable information from a student’s education records. However,  the District  may disclose appropriately designated ‘directory information’ without written consent, unless a parent, legal guardian, or adult student has advised the district to the contrary in accordance with District procedures. The primary purpose of directory information is to allow the District   to include this type of information from a student’s education records in certain school publications. Publications may be in print or digital format. Examples include, but are not limited to, the following:
  • A playbill, showing a student's role in a drama production;
  • The annual yearbook;
  • Honor roll or other recognition lists;
  • Graduation programs
  • Sports activity sheets, such as for wrestling, showing weight and height of team members.
    1. Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without prior written consent. Outside organizations include, but are not limited to, companies that manufacture class rings or publish yearbooks, take school pictures, or process data.
    2. In addition, two federal laws require  the District, receiving assistance under the Elementary and Secondary Education Act of 1965 (ESEA), to provide military recruiters, and institutions of higher learning, upon request, with three directory information categories- names, addresses and telephone listings- unless parent, legal guardian, or adult student has advised the District  that they do not want their student’s information disclosed without their prior written consent.
    3. If a parent, legal guardian, or adult student does not want  the District  to disclose ‘directory information’ from a student’s education records without prior written consent, the parent, legal guardian, or adult student  must notify the school principal in writing within five (5) school days of the student's first day of attendance.
    4. The District may disclose the following information as directory information:
  • Student’s name
  • Address
  • Telephone listing
  • Electronic mail address
  • Photograph
  • Date and place of birth
  • Major field of study
  • Dates of attendance
  • Grade level
  • Participation in officially  recognized activities and sports
  • Weight and height of members of athletic teams
  • Degrees, honors, and awards received
  • The most recent educational agency or institution attended
  • A student number assigned by the District
    1. In order to make certain software applications available to students and parents, the District may need to upload specific ‘directory information’ to the software provider in order to create distinct accounts for students and/or parents. In these cases, the District will provide only the minimum amount of ‘directory information’ necessary for the student or parent to successfully use the software service.

 

 

APPENDIX A (Physical and Security Controls Procedures)

 

Physical and Security Controls

 

The following physical and security controls shall be adhered to:

 

  1. Network systems shall be installed in an access-controlled area. The area in and around the computer facility shall afford protection against fire, water damage, and other environmental hazards such as power outages and extreme temperature situations.
  2. Monitor and maintain data centers’ temperature and humidity levels.
  3. File servers and/or storage containing PII, Confidential and/or Internal Information shall be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.
  4. Computers and other systems shall be secured against use by unauthorized individuals. It is the responsibility of the user to not leave these devices logged in, unattended, and open to unauthorized use.
  5. Ensure network systems and network equipment are properly secured to prevent unauthorized physical access and data is properly safeguarded to protect from loss. A record shall be maintained of all personnel who have authorized access.
  6. Maintain a log of all visitors granted entry into secured areas or areas containing sensitive or confidential data (e.g., data storage facilities). Record the visitor’s name, organization, and the name of the person granting access. Retain visitor logs for no less than 6 months. Ensure visitors are escorted by a person with authorized access to the secured area.
  7. Monitor and control the delivery and removal of all asset-tagged and/or data-storing technological equipment or systems. Maintain a record of all such items entering or exiting their assigned location using the district approved technology inventory program. No technology equipment regardless of how purchased or funded shall be moved without the explicit approval of the technology department.
  8. Ensure that technological equipment or systems being removed for transfer to another organization or being designated as surplus property is appropriately sanitized in accordance with applicable policies and procedures.

 

APPENDIX B (Password Control Standards)

 

Password Control Standards

The  District’s s Data Governance and Use Policy require the use of strictly controlled passwords for network access and for access to secure sites and information. In addition, all users are assigned to Microsoft security groups that are managed through Microsoft Group Policies. The security groups include separate groups at each school for Office Staff, Tech Staff, Instructional Staff, Students, and Users.

Password Standards:

  1. Users are responsible for complying with the following password standards for network access or access to secure information:
  2. Passwords shall never be shared with another person.
  3. Every password shall, where possible, be changed yearly if not more frequently for staff and on an age appropriate schedule for students. Guest passwords are changed every 28 days.
  4. Passwords shall, where possible, have a minimum length of eight (8) characters.
  5. When possible, for secure sites and/or software applications, user created passwords should adhere to the same criteria as required for network access. This criteria is defined in the  District’s WSD Network Group Policy Criteria for Passwords and is listed below:
  • Shall not contain the user's account name or parts of the user's full name
  • Contain characters from three of the following four categories:
      • English uppercase characters (A through Z)
      • English lowercase characters (a through z)
      • Base 10 digits (0 through 9)
      • Non-alphabetic characters (for example, !, $, #, %)
  1. Passwords shall never be saved when prompted by any application with the exception of central single sign-on (SSO) systems as approved by the Technology Department.
  2. Passwords shall not be programmed into a PC or recorded anywhere that someone may find and use them.
  3. When creating a password for secure information or sites, it is important not to use passwords that are easily guessed due to their association with the user (i.e. children’s names, pets’ names, birthdays, etc...). A combination of alpha and numeric characters is more difficult to guess.

 

  1. Where possible, system software should enforce the following password standards:
  2. Passwords routed over a network shall be encrypted.
  3. Passwords shall be entered in a non-display field.
  4. System software shall enforce the changing of passwords and the minimum length.
  5. System software shall disable the user password when more than five consecutive invalid passwords are given. Lockout time shall be set at a minimum of 30 minutes.
  6. System software should maintain a history of previous passwords and prevent their being easily guessed due to their association with the user. A combination of alpha and numeric characters is more difficult to guess.

APPENDIX C (Purchasing and Disposal Procedures)

 

Purchasing and Disposal Procedures for

 

This procedure is intended to provide for the proper purchasing and disposal of technological devices only. Any computer, laptop, mobile device, printing and/or scanning device, network appliance/equipment, AV equipment, server, internal or external storage, communication device or any other current or future electronic or technological device may be referred to as ‘systems’ in this document. For further clarification of the term technological systems contact the  District’s  (WSD) Technology Director.

 

All involved systems and information are assets of the District  and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.

 

  1. Purchasing Guidelines

All systems that will be used in conjunction with  the District  technology resources or purchased, regardless of funding, shall be purchased from an approved list or be approved by the Technology Director. Failure to have the purchase approved may result in lack of technical support, request for removal from premises, or denied access to other technology resources.

 

  1. Utah Competitive Bid Laws

All electronic equipment is subject to Utah competitive bid laws. There are several purchasing coops that have been approved for use by the Utah State Board of Education. In the event that a desired product is not included in one of these agreements, the District   bids the item or items using the district’s competitive bidding process. All technological systems, services, etc. over $15,000 purchased with public funds are subject to Utah’s competitive bid laws.

 

  1. Inventory

All technological devices or systems over $500 are inventoried by the Technology Department in accordance with the  District’s  Finance Department using the iFAS inventory system. There are some exceptions under $500, as determined by the Technology Director, such as but not limited to companion devices or peripherals that are inventoried. The district technology staff is responsible for ensuring that any network equipment, file servers, or district systems, etc. are inventoried.

 

  1. Disposal Guidelines

Equipment shall be considered for disposal for the following reasons:

  1. End of useful life
  2. Lack of continued need
  3. Obsolescence
  4. Wear, damage, or deterioration
  5. Excessive cost of maintenance or repair

 

The local school principal, Technology Director, and the District’s WSD Purchasing Agent shall approve school disposals by discard or donation. Written documentation in the form of a spreadsheet including but not limited to the following shall be provided to the District Technology Office no later than Wednesday at 9:00 a.m.

  1. Fixed asset tag (FAT) number,
  2. Location,
  3. Description,
  4. Serial number, and
  5. Original cost and account code if available.
  6. Methods of Disposal

Once equipment has been designated and approved for disposal, it shall be handled according to one of the following methods. It is the responsibility of the local school Technology Coordinator to modify the iFas inventory entry to reflect any in-school transfers, in-district transfers, donations, or discards for technological systems. The district technology staff is responsible for modifying the inventory records to reflect any transfers within the central offices, transfers of central office electronic equipment to local schools, central office donations, or central office discards.

 

  1. Transfer/Redistribution

If the equipment has not reached the end of its estimated life, an effort shall be made to redistribute the equipment to locations where it can be of use, first within an individual school or office, and then within the district. Service requests may be entered to have the equipment moved, reinstalled and, in the case of computers, laptops, or companion devices, have it wiped and reimaged or configured.

 

  1. Discard

All electronic equipment in the District’s  shall be discarded in a manner consistent with applicable environmental regulations. Electronic equipment may contain hazardous materials such as mercury, lead, and hexavalent chromium. In addition, systems may contain Personally Identifiable Information (PII), Confidential, or Internal Information. Systems shall be wiped clean of this information prior to leaving the school district.

 

A district-approved vendor shall be contracted for the disposal of all technological systems/equipment. The vendor shall provide written documentation verifying the method used for disposal and a certificate stating that no data of any kind can be retrieved from the hard drive or any other component capable of storing data. Under no circumstances should any technological systems/equipment be placed in the trash. Doing so may make the District  and/or the employee who disposed of the equipment liable for violating environmental regulations or laws.

 

  1.  Donation

If the equipment is in good working order, but no longer meets the requirements of the site where it is located, and cannot be put into use in another part of a school or system, it may be donated upon the written request of the receiving public school system’s superintendent or non-profit organization’s director.

 

It shall be made clear to any school or organization receiving donated equipment that the District WSD is not agreeing to and is not required to support or repair any donated equipment. It is donated AS IS.

District WSD staff should make every effort before offering donated equipment, to make sure that it is in good condition and can be re-used. Microsoft licenses or any other software licenses are not transferred outside the District  .

 

Donations are prohibited to individuals outside of the school system or to current faculty, staff, or students of the District . The donation of or sale of portable technology-related equipment is permissible to retiring employees if the following criteria have been met:

 

  • the portable equipment has been used solely by the retiring employee for over two years;
  • the equipment shall not be used by the employee assuming the responsibilities of the retiring employee; and
  • the equipment has reached or exceeded its estimated life.

 

All donations and/or sales shall be approved by the Finance Director and Technology Director.

 

  1. Required Documentation and Procedures

 

  1. For purchases, transfers and redistributions, donations, and disposal of technology-related equipment, it is the responsibility of the appropriate on-site technician to create/update the inventory to include previous location, new school and/or room location, and to note the transfer or disposal information. When discarding equipment, the fixed asset tag is removed from the equipment and turned in with other documentation to the local school bookkeeper. A spreadsheet export from iFAS is sent to the district technology office.

 

  1. When equipment is donated, a copy of the letter requesting the equipment shall be on-file with the district technology office prior to the donation. Equipment is donated in order of request.

 

  1. Any equipment donated shall be completely wiped of all data. This step will not only ensure that no confidential information is released, but also shall ensure that no software licensing violations will inadvertently occur. For non-sensitive machines, all hard drives shall be fully wiped using a wiping program approved by the district technology office, followed by a manual scan of the drive to verify that zeros were written.

 

  1. Any re-usable hardware that is not essential to the function of the equipment that can be used as spare parts shall be removed: special adapter cards, memory, hard drives, zip drives, CD drives, etc.

 

  1. A district-approved vendor SHALL handle all disposals that are not redistributions, transfers, or donations. Equipment shall be stored in a central location prior to pick-up. Summary forms shall be turned into district technology office and approved by the Finance Director prior to the scheduled “pick up” day. be boxed together and shall not be listed on summary forms.

 

APPENDIX D (Memorandum of Agreement)

 

Weber School District’s Technological Services and Systems

 

Memorandum of Agreement (MOA)

THIS MEMORANDUM OF AGREEMENT, executed and effective as of the ____ day of _________________, 20___, by and between _________________, a corporation organized and existing under the laws of (the “Company”), and WEBER SCHOOL DISTRICT (WSD), a public school system organized and existing under the laws of the state of Utah (the “School Board”), recites and provides as follows.

 

Recitals

 

The Company and the School Board are parties to a certain agreement entitled “_________________________” hereafter referred to as (the “Agreement”). In connection with the execution and delivery of the Agreement, the parties wish to make this Memorandum of Agreement (also referred to as MOA or Addendum) a part of the original Agreement in order to clarify and/or make certain modifications to the terms and conditions set forth in the original Agreement.

 

The Company and the School Board agree that the purpose of such terms and conditions is to ensure compliance with the Family Educational Rights and Privacy Act (FERPA) and the overall privacy and security of student Personally Identifiable Information (PII) hereafter referred to as student information and/or data, including but not limited to (a) the identification of the Company as an entity acting for the School Board in its performance of functions that a School Board employee otherwise would perform; and (b) the establishment of procedures for the protection of PII, including procedures regarding security and security breaches.

 

NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is acknowledged hereby, the parties agree as follows.

 

Agreement

 

The following provisions shall be deemed to be included in the Agreement:

 

Confidentiality Obligations Applicable to Certain WSD Student Records. The Company hereby agrees that it shall maintain, in strict confidence and trust, all WSD student records containing personally identifiable information (PII) hereafter referred to as “Student Information”. Student information shall not be shared with any other resource or entity that is outside the intended purpose of the Agreement.

 

The Company shall cause each officer, director, employee and other representative who shall have access to WSD Student Records during the term of the Agreement (collectively, the “Authorized Representatives”) to maintain in strict confidence and trust all WSD Student Information. The Company shall take all reasonable steps to insure that no WSD Student information is disclosed to any person or entity except those who (a) are Authorized Representatives of the Company performing functions for WSD under the Agreement and have agreed to be bound by the terms of this Agreement; (b) are authorized representatives of WSD, or (c) are entitled to such WSD student information from the Company pursuant to federal and/or Utah law. The Company shall use WSD student information, and shall take all reasonable steps necessary to ensure that its Authorized Representatives shall use such information, solely for purposes related to and in fulfilment of the performance by the Company of its obligations pursuant to the Agreement.

 

The Company shall: (a) designate one of its Authorized Representatives to be responsible for ensuring that the Company and its Authorized Representatives maintain the WSD student information as confidential; (b) train the other Authorized Representatives with regard to their confidentiality responsibilities hereunder and pursuant to federal and Utah law; (c) maintain at all times a list of Authorized Representatives with access to WSD student information.

 

Other Security Requirements. The Company shall maintain all technologies, policies, procedures and practices necessary to secure and protect the confidentiality and integrity of WSD student information, including procedures to (a) establish user IDs and passwords as necessary to protect such information; (b) protect all such user passwords from detection and unauthorized use; (c) prevent hostile or unauthorized intrusion that could result in data corruption, or deny service; (d) prevent and detect computer viruses from spreading to disks, attachments to e-mail, downloaded files, and documents generated by word processing and spreadsheet programs; (e) minimize system downtime; (f) notify WSD of planned system changes that may impact the security of WSD data; (g) return or destroy WSD data that exceed specified retention schedules; (h) notify WSD of any data storage outside the US; (i) in the event of system failure, enable immediate recovery of WSD information to the previous business day. The Company should guarantee that WSD data shall not be sold to, accessed by, or moved by third parties.

 

In the event of a security breach, the Company shall (a) immediately take action to close the breach; (b) notify WSD within 24 hours of Company's first knowledge of the breach, the reasons for or cause of the breach, actions taken to close the breach, and identify the WSD student information compromised by the breach; (c) immediately notify the student, if they are an adult student, or the legal guardian if the student is not an adult (d) return compromised WSD data for review; (e) provide communications on the breach to be shared with affected parties and cooperate with WSD efforts to communicate to affected parties by providing WSD with prior review of press releases and any communications to be sent to affected parties; (f) take all legally required, reasonable, and customary measures in working with WSD to remediate the breach which may include toll free telephone support with informed customer services staff to address questions by affected parties and/or provide monitoring services if necessary given the nature and scope of the disclosure; (g) cooperate with WSD by providing information, records and witnesses needed to respond to any government investigation into the disclosure of such records or litigation concerning the breach; and (h) provide WSD with notice within 24 hours of notice or service on Company, whichever occurs first, of any lawsuits resulting from, or government investigations of, the Company's handling of WSD data of any kind, failure to follow security requirements and/or failure to safeguard WSD data. The Company’s compliance with the standards of this provision is subject to verification by WSD personnel or its agent at any time during the term of the Agreement. Said information should only be used for the purposes intended and shall not be shared, sold, or moved to other companies or organizations nor should other companies or organization be allowed access to said information. (HB 358 53A-1-1405:475)

Disposition of WSD Data Upon Termination of Agreement

 

Upon expiration of the term of the Agreement, or upon the earlier termination of the Agreement for any reason, the Company agrees that it promptly shall deliver to the School Board, and shall take all reasonable steps necessary to cause each of its Authorized Representatives promptly to deliver to the School Board, all required WSD student data and/or staff data or proof that all student/staff data has been expunged. The Company hereby acknowledges and agrees that, solely for purposes of receiving access to WSD data and of fulfilling its obligations pursuant to this provision and for no other purpose (including without limitation, entitlement to compensation and other employee benefits), the Company and its Authorized Representatives shall be deemed to be school officials of the School Board, and shall maintain WSD data in accordance with all federal state and local laws, rules and regulations regarding the confidentiality of such records. The non-disclosure obligations of the Company and its Authorized Representatives regarding the information contained in WSD data shall survive termination of the Agreement. The Company shall indemnify and hold harmless the Board from and against any loss, claim, cost (including attorneys' fees) or damage of any nature arising from or in connection with the breach by the Company or any of its officers, directors, employees, agents or representatives of the obligations of the Company or its Authorized Representatives under this provision.

Certain Representations and Warranties. The Company hereby represents and warrants as follows: (a) the Company has full power and authority to execute the Agreement and this MOA and to perform its obligations hereunder and thereunder; (b) the Agreement and this MOA constitute the valid and binding obligations of the Company, enforceable in accordance with their respective terms, except as such enforceability may be limited by bankruptcy or similar laws affecting the rights of creditors and general principles of equity; and (c) the Company’s execution and delivery of the Agreement and this Addendum and compliance with their respective terms will not violate or constitute a default under, or require the consent of any third party to, any agreement or court order to which the Company is a party or by which it

may be bound.

 

Governing Law; Venue. Notwithstanding any provision contained in the Agreement to the contrary, (a) the Agreement shall be governed by and construed in accordance with the laws of the State of Utah, without reference to conflict of laws principles; and (b) any dispute hereunder which is not otherwise resolved by the parties hereto shall be decided by a court of competent jurisdiction located in the State of Utah.

 

IN WITNESS WHEREOF, the parties hereto have caused this Addendum to be executed by their duly authorized officers effective as of the date first written above.

 

[COMPANY NAME]

 

By:_____________________________

 

[Name]

 

[Title]

 

WEBER SCHOOL DISTRICT

 

By:_____________________________

 

[Name]

 

[Title]

 

Weber School District

 

Read 163 times Last modified on Tuesday, 14 November 2017 07:45
More in this category: Student Data Privacy Policy »