SECURITY AND ELECTRONIC COMMUNICATIONS WHAT YOU NEED TO KNOW FOR YOUR AUDIT

POLICY On the way In the process of writing and working with MORENet to ensure best practices and meeting State Auditor requirements

WHAT’S UP? Auditor has completed audits of 5 districts – Boonville, Cape Girardeau, Orchard Farm, Park Hill, Waynesville – Keep in mind these are “large(er)” districts Some common themes occur in all the audits – Passwords – Backups – Access Control – Data Access/Disclosure – Account Management

RESPONSIBLITY EVERYONE in the district must be on board with the plan Won’t work if “some” teachers refuse to change passwords, etc. Even board members need to be on board – everyone is potentially vulnerable to cybersecurity issues

PASSWORDS District should establish “adequate” password controls to reduce the risk of unauthorized access to computers and data Require all users to identify themselves Maintain a secure password before accessing district information Have a set expiration date – User would have a “not expiring password” which creates a greater risk of password becoming known Prohibit sharing passwords or using another person’s

USER ACCESS Must perform periodic reviews of user’s access to data – This means not everyone should have access to everything – Must be appropriate and aligned with job duties – As duties change, access may change or even be removed Also monitor accounts assigned to former employees/volunteers – “Inactive Accounts” - not used for an extended period of time Should be no accounts shared by multiple users

USER ACCESS Should be based on “need to know” – NOT on position District should decide who will determine access – this should be a very limited number of people – This is NOT necessarily the IT person – IT may implement, but most likely won’t decide who gets access Should also have very detailed, up-to-date information on who has access to what Something to think about – – Emergency access??

USER ACCESS Logon Banners – Must display logon banners to users accessing district systems and data – Should display information to users regarding applicable privacy and security notices and required compliance with applicable laws, regs, and policies

LOGON BANNER Should state – A user is accessing a district provided information system – That usage of the system may be monitored, recorded, and subject to audit – That unauthorized use of the system is prohibited and may be subject to criminal and civil penalties – That use of the system constitutes agreement with these terms

TERMINATING ACCESS Need policy/procedure for disabling or removing user accounts in a timely manner – Many instances of former users having access to district system more than 30 days after leaving the district! Procedures must be consistently applied – even to those not “technically” district employees Need a process for reporting all staff actions to the IT department for accurate monitoring IT director most likely person to document Same for students

SHARED ACCOUNTS/ CONCURRENT ACCESS Should prohibit staff from “sharing” accounts and passwords No “generic” names or passwords – Must be able to identify user with a specific account – a “uniquely identifiable user account” Not allow “concurrent access” to district systems – Sign on to two separate machines in two separate places – Only one location at a time

DATA GOVERNANCE Ensure the confidentiality, integrity, availability and quality of all data Establish decision making authority Define policies for sensitive data Ensure data is collected, maintained, used, and disseminated in an appropriate manner

DATA GOVERNANCE Formally assign responsibility for management of the district’s data Formalize a “data stewardship plan” – Policies/procedures on protecting student data Maintain an inventory of data files, the data in the files, and the sensitivity of the data – Should classify by level of sensitivity Implement a process to detect unauthorized disclosure of Personally Identifiable Information (PII) Adopt a formal policy regarding archiving or destroying data at end of the lifecycle – The process of removing information in a way that renders it unreadable or irretrievable

DATA GOVERNANCE Everyone must be on board – Example – Teachers who copy student info onto a zip drive – This must be monitored and recorded Must know where data is stored so that it may be protected

SECURITY Formally appoint specific personnel to serve as security administrator(s) – Assign responsibility for creating, implementing, maintaining security policies/procedures – Develop a comprehensive “plan” and identify specific staff responsibilities

SECURITY Use hard/software to protect, detect unauthorized access to systems – Accounts, passwords, firewalls – Procedures for allowing temporary or guest access (contractors/vendors) to tech resources escort/sign-in procedures

SECURITY Take steps to protect the physical security – Physical access to tech resources – Who is authorized to access restricted or sensitive areas – Locked rooms, cabinets – System for periodic inventory of equipment

SECURITY Develop a system for Security Logs – Ensure ALL significant security incidents are detected/logged/investigated/resolved – Especially “failed” login attempts – All unauthorized access to sensitive or critical system resources – Must be able to be effectively monitored

SECURITY Develop awareness program for staff/employees who have access to district’s information systems as part of employment – Enhance district data security by improving awareness of the need to protect system resources – Develop knowledge and skill to perform job more securely – Training, communication, create a process for reporting

SECURITY Documented policies and procedures for: – Resetting lost/compromised passwords – Requesting and receiving approval for access – Describing who is granted privileges – Notifying administrators of disabled accts – How to disable accounts – Reviewing user access to data

CONTINUTIY PLAN What happens if there is an emergency and the system goes down? – Need policies/procedures for restoration of critical systems/data – I.D. persons responsible for restoration of specific systems/data – Alternate processing facilities (off site?) – Back up data – Training of staff – Test the plan

DATA BREACH Develop a complete formal data breach response policy Security incident in which sensitive data or confidential data (PII) has potentially been accessed, stolen, used by an unauthorized individual Law requires recording of each incident US Dept of ED recommends all districts create a data breach response policy

DATA BREACH Policy should include – Goals for the response process – Include the definition of breach – Staff roles, Reporting, Remediation, Feedback mechanisms – “Well publicized” and available to all personnel whose duties include data protection – Backing up data?

VENDOR CONTROLS Establish a process for ensuring software the district purchases or uses complies with district’s data security principles. Maintain copy of all contracts with vendors that impact the district’s data or security Contracts must conform to FERPA when relevant Must require the vendor to appropriate security functionality for the district

THANK YOU! Scott Summers Director, School Laws Missouri School Boards’ Association