- Plano Independent School District
- Information Security Regulations
-
Purpose of the information security regulations
The purposes of the information security regulations are to:
- Maintain confidentiality, integrity and availability of the Plano Independent School District's electronic communication and data management systems, including, without limit, its telephone system, managed computers, computer networks, electronic mail systems, videoconferencing systems, cloud services, and its Internet and intranet access capabilities (referred throughout as the “System”).
- Comply with applicable laws and regulations.
- Foster responsible use of the System by building a culture of information security risk awareness and mitigation.
General
- The district will use a layered approach of security controls, secure configuration, patching, monitoring, protection, detection, and authentication to ensure overall security of the System.
- Security reviews of servers, firewalls, routers, monitoring platforms, backups, and audit logs must be conducted on a regular basis.
- Vulnerability and risk assessment tests of the System must be conducted on a regular basis.
- Routine system and data backups must be performed. Backups must be periodically tested to ensure functionality.
- Disaster recovery plan, recovery prioritization, and the security of backup data must be maintained.
- Incident response plan must be maintained, and regular tabletop exercises must be conducted.
- Cybersecurity awareness and education must be implemented to ensure that users understand their shared responsibility of protecting the district's data, network and system resources.
- Violation of the Information Security Regulations may result in disciplinary actions as authorized by the district in accordance with district disciplinary policies, procedures, and codes of conduct.
- Access to the System shall be made available to employees primarily for educational and administrative purposes.
- Access to the System is a privilege, not a right. Users must comply with all administrative regulations and guidelines.
- The District reserves the right to use the System for purposes as it sees fit and reserves the right to monitor all activity on the System, including individual user accounts. District may monitor use, including appropriate use, at any time to ensure appropriate use for educational or administrative purposes and/or compliance with District policy.
- The District’s System will only be used for learning, teaching, and administrative purposes consistent with the District’s mission and goals. Commercial use of the District’s System is strictly prohibited. The System may not be used for illegal purposes, in support of illegal activities, or for any other activity prohibited by District Policy or guidelines.
- System users will immediately notify a campus administrator or the System administrator or the Technology Services if a potential security problem is suspected or exists.
- System users must not download, install or run any programs or utilities on their systems except those authorized and installed by the IT Department and specifically designed to conduct the business of the District. All software must be reviewed for network and hardware compatibility by the IT Department prior to authorization of purchase, donation or use by the Administration. Unauthorized software is subject to removal upon discovery.
- Any attempt to harm or destroy the System, District equipment or data, the data of another user of the District’s System, or the data of the agencies or other networks that are connected to the Internet, are prohibited.
- System users should be mindful that use of school-related electronic mail addresses might result in some recipients or other readers of that mail to assume the System user represents the District or school, whether or not that was the user’s intention.
- We each have a responsibility for ensuring the District's system and data are protected from unauthorized access and improper use.
Data Security
- Confidential Data or other information essential to the mission of the District should be stored on a District-managed network server and cloud storage when possible, rather than on District-owned desktop workstations, laptops, or portable devices. “Confidential Data” shall include, but is not limited to, the following: student data, educational records, employee data, metadata, user content, course content, materials, and any and all data and information that the District maintains.
- Users shall not disclose confidential District data except as permitted or required by law and only as part of their official duties on behalf of the District. .
- Forgery or attempted forgery of electronic mail messages or misrepresentation of the identity of a sender is prohibited.
- The District shall preserve and destroy documents, including electronically stored information according to procedures developed by the records management officer.
- All messages, files and documents – including personal messages, files and documents – located on the District System are owned by the District, may be subject to open records requests, and may be accessed in accordance with this policy.
- System users may not gain unauthorized access to System and/or District resources or information. Unauthorized access or attempts to access the System are strictly prohibited and will result in appropriate disciplinary action.
- Users may not store Confidential District Data with an unauthorized third-party storage service (often referred to as "cloud" storage) or on their personal devices.
Access Control
- Access privileges will be assigned to users to provide the minimum necessary permission to perform job responsibilities.
- Network accounts will be assigned to individuals, except when a shared account is justified by the functions being performed. Accounts designed specifically for a shared purpose or specific system task, such as facilitating data backups or scheduled batch processing, will be granted only in cases when absolutely necessary and will be shared with as few individuals as necessary to effectively perform District operations.
- Users may not share individually-assigned access control devices (e.g. door access badges, and/or door keys) unless necessary to preserve life safety.
- Users should protect their password(s) and should not disclose their passwords to any other person to help ensure the security and integrity of the System. No user should attempt to gain access to another user’s electronic mailbox, telephone voicemail box, computer files, or Internet account unless expressly authorized to do so by the user whose systems are being accessed, or by an authorized representative of the District. Any user who receives information such as electronic mail messages in error should not read the message, but should instead return the message to the sender and delete the message immediately.
- Account credentials should not be hard coded into scripts, software code, or system configurations. When hard coding credentials is deemed necessary, system owners will store these files securely and will maintain sufficient documentation to allow periodic manual changes to passwords or other credentials.
- When employment relationships are subject to change or termination, responsible management will participate in checkout processes defined by Human Resources to ensure timely disabling of system access
- District may disable user network access based on a reasonable indication that the account has been disclosed to, or compromised by, a malicious party.
Exemptions
- Compliance with all elements of this regulation may not be possible in some situations given the tradeoffs between risk, cost, and operational impact. Users may request exemptions to elements of this regulation from the Assistant Superintendent for Technology Services. When applicable, the requester will be asked to accept risks associated with non-compliance. Exemption requests should include an explanation of why compliance with specific regulation elements is not feasible and should describe compensating controls that are in place to reduce risk. Approved exemptions will include an expiration date.
Reporting an Incident
- Report any cybersecurity issues/incidents to
Plano ISD Help Desk
helpdesk@pisd.edu
469-752-8767