Electronic Data Security – Board Level Policy
Measures Policy
Policy reflects [State] statute and aligns with other [District Name] policies.
Purpose
The purpose of this policy is to authorize and direct the Superintendent to establish, implement, and maintain data security measures.
Audience
The (District) Electronic Data Security Measures Policy applies to individuals responsible for the set up or maintenance of (District) technology.
General Statement Of Policy
The District establishes data security classifications, implements procedural and electronic security controls, and maintains records regarding assigned security authorization. Data security measures apply to District employees and all District operations. Any unauthorized access, use, transfer, or distribution of District data by any employee, student, or any other individual, may result in appropriate disciplinary action, which may include a recommendation for termination and other legal action. Definitions
See Appendix A: Definitions
REQUIREMENT
In order to effectively implement this policy, the Superintendent, or designee, will:
- Implement standards and procedures to effectively manage and provide necessary access to District data, while at the same time ensuring the confidentiality, integrity, and availability of the information. Insofar as this policy deals with access to [District Name] Public Schools’ computing and network resources, all relevant provisions in the District’s Acceptable Electronic Use Policy apply.
- Implement procedures to effectively and appropriately handle data breaches, including procedures to notify students and families, and notification to affected educational institutions in the case of an online service provider breach.
- Provide a structured and consistent process for employees to obtain necessary data access for conducting [District Name] Public Schools operations.
- Define data classification and related safeguards. [District Name] PUBLIC SCHOOLS POLICIES
- Provide a list of relevant considerations for system personnel responsible for purchasing or subscribing to software that will utilize and/or expose District data.
- Establish a District Data Security Officer role appointed by the Superintendent with responsibilities and authority to enforce [District Name] Data Security Policy and procedures.
SCOPE
- These security measures apply to information found in or converted to a digital format. (The same information may exist in paper format for which the same local policies, state laws, statutes, and federal laws would apply, but no electronic control measures are needed.)
- Security measures apply to all employees, contract workers, volunteers, and visitors of the [District Name] Public Schools and all data used to conduct operations of the District.
- Security measures do not address public access to data.
- Security measures apply to District data accessed from any location; internal, external, or remote.
- Security Measures apply to the transfer of any District data inside or outside the District for any purpose.
GUIDING PRINCIPLES
- The Superintendent, or designee, shall determine appropriate access permissions.
- Data Users granted “create” and/or “update” privileges are responsible for their actions while using these privileges. That is, all schools or other facilities are responsible for the District data they create, update, and/or delete.
- Any individual granted access to District data is responsible for the ethical use of that data. Access will be used only in accordance with the authority delegated to the individual to conduct [District Name] Public Schools operations.
- It is the express responsibility of authorized users to safeguard the data they are entrusted with, ensuring compliance with all aspects of this policy and additional related District policies and/or procedures.
- It is the express responsibility of authorized users to safeguard the data they are entrusted with, ensuring compliance with all aspects of this policy and additional related District policies and/or procedures.
- These security measures apply to District data regardless of location. Users who transfer or transport District data “off-campus” for any reason must ensure that [District Name] PUBLIC SCHOOLS POLICIES they can comply with all data security measures prior to transporting or transferring the data.
ACCESS COORDINATION
- Users appointed by the Superintendent, or designee, as Data Stewards, will be responsible for assisting in classifying data sensitivity levels for their areas of expertise and in identifying which employees require access to which information in order to complete their duties.
- The Director of Technology, Media and Information Systems will designate individuals within the technology department to implement, monitor, and safeguard access to District data based on the restrictions and permissions determined by the Data.
- Data Stewards will be responsible for educating all employees in their areas of responsibilities associated with electronic Data security.
POLICY REVIEW
The Board will annually review this policy.
Adopted: [Date]
Reviewed: [Date]
Revised: [Date]
References
- ISO 27002: 10, 14, 18
- NIST CSF: PR.DS
- (District) Information Classification and Handling Policy
Waivers
Waivers from certain policy provisions may be sought following the (District) Waiver Process.
Enforcement
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.
Version History
Version 1.0.0
Modified Date
Approved Date October 2021
Approved By SecurityStudio
Reason/Comments Document Origination