Broward County Public Schools Information Security Guidelines v

Size: px
Start display at page:

Download "Broward County Public Schools Information Security Guidelines v. 04042014"

Transcription

1 Broward County Public Schools Information Security Guidelines v Introduction and Overview The following information security guidelines, in conjunction with appropriate state and federal statutes, will serve as a foundation and strategic framework for the protection of Broward County Public Schools (BCPS) data. Use of BCPS equipment and/or networks constitutes acceptance of these policies. All BCPS staff and authorized non-staff must be aware of the risks and act in the best interest of BCPS. These standards detail users responsibilities for computer security. The latest version of the Information Security Guidelines will be posted to and to District Announcements in the CAB system. Requests for investigations related to any suspected violation of the following guidelines must be submitted to the Broward School District Police Department for official action. 1.1 Risks to BCPS Any breach of data security could be costly to school system staff, users, and students as well as to the school system itself. Technical and business risks include: Unauthorized (malicious or accidental) disclosure, modification, or destruction of information Unintentional errors and omissions IT disruptions due to natural or man-made disasters Failure to exercise due care and diligence in the implementation and operation of the IT system. Altered, Inaccurate, Stolen, Destroyed or Intercepted data Loss of BCPS ability to process data Business risks to BCPS include: Lawsuits for not protecting sensitive data; HIPAA violation penalties Loss of funding (for example, FTE) due to transmission of incorrect data to other agencies Unfair penalty or advantage to students due to transmission of incorrect data (for example, incorrect transcripts resulting in unfair penalty or advantage to students applying for college and/or scholarships) Liability for incorrect data (including State and Federal penalties) Errors in business decisions due to inaccurate data Negative publicity surrounding use of incorrect data Inability to process business transactions in a timely fashion or not at all 1 P a g e

2 1.2 Scope The Information Security Guidelines apply to: All authorized staff, temporary help, volunteers, students, auditors, consultants and vendors as well as unauthorized parties seeking access to BCPS computer resources All BCPS mainframes, servers, personal computers, outside services, network systems, wireless devices, BCPS-licensed software and any other device connected full or part time to the BCPS network. All BCPS data and reports derived from these facilities All programs developed on BCPS time or using company equipment All terminals, communication lines, and associated equipment on BCPS premises or connected to BCPS computers over physical or virtual links All electronic media such as Hard Drives, Floppy Disks, CDs, DVDs, USBs, Smart Cards, Personal Digital Assistants (PDA), Portable Electronic Storage 2.0 Physical Security Adequate building security (both physical and environmental) must be provided for the protection of all physical and logical BCPS computer assets and especially sensitive applications and data. Security includes, but is not limited to, lockable doors and windows, limited access, protection from water and the elements, alarms, access controls, and surveillance devices such as cameras and monitors. Site supervisors must protect all hardware and software assigned to their location. 3.0 System Security Protect data by defining specific users or groups to specific system resources. Use the least privilege concept for access to all system-level resources such as the operating system, utilities, and databases. Least privilege is defined as a default of no access to these resources and the requirement of explicit permission and authorization by the owner based on need. The owner is responsible for specifying whether the data is sensitive and which user-ids will be authorized to access it, or who will be responsible for giving such authorization. The practice of granting Everyone Full Control to resources should be strictly avoided. Users should be aware that unprotected folders on the network are prey to many different forms of hacking. It is the responsibility of the local site administrator and the owner of the data to ensure that this data is secure. 3.1 Best practices for file/folder security Access to critical resources should be managed by assigning individuals to a group. The group should be set up with the authority necessary to do the specific job/task or access specific data. This will provide management with a more efficient method to remove access authority when a user no longer is responsible 2 P a g e

3 for performing the task. Group membership should be reviewed on a regular basis to ensure all members are appropriate. The practice of assigning data or application rights to individual user accounts should be avoided. 3.2 Information Privacy / Information Handling Personally Identifiable Information, PII, is information which can be used to distinguish or trace an individual s identity, such as name, social security number, or biometric records, alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, or mother s maiden name. Broward County Public Schools regards security and confidentiality of personal data and information to be of utmost importance. Users of the BCPS network agree to adhere to these policies and procedures to protect personal data from unauthorized disclosure, alteration or misuse. A breach of the following confidentiality requirements may constitute grounds for disciplinary and/or legal action. 1. The Health Insurance Portability and Accountability Act (HIPAA) sets standards for protected health information, which includes information related to health plan enrollment, payment and treatment. BCPS network users will implement reasonable and appropriate security measures to protect against reasonably anticipated threats to the security or integrity of EPHI (Electronic Protected Health Information). BCPS will evaluate risks and vulnerabilities in Broward Schools environment and implement policies and procedures to address those risks and vulnerabilities. 2. The Family Educational Rights and Privacy Act (FERPA) sets standards for the privacy of students educational records. BCPS network users will implement reasonable and appropriate security measures to protect these records, which may not be disclosed except to other school officials with legitimate educational interest, in other instances as permitted by FERPA or if valid consent is obtained from parents, guardians or eligible students (those over the age of 18). 3. Public Records Certain information created and maintained by BCPS network users, including District correspondence, is subject to public record inspection pursuant to Florida Statute s created by BCPS employees while working on official business must include a reference or a disclaimer stating that the correspondence is subject to Public Records requests. Public records requests must be forwarded to the Public Relations & Governmental Affairs Department. messages that pertain to particular district business must be retained for as long as all other documentation that pertains to the same business. For details, refer to the current versions of the General Records Schedule for Local Government Agencies (GS1-L) and the General Records Schedule for Public Schools Pre-K-12, Adult and Vocational/Technical (GS7) publications. Both publications can be found at: 4. Other Confidential Information: Other information, such as certain types of employment records, social security numbers (SSN), and financial information for 3 P a g e

4 scholarship applicants (i.e. tax forms and earning statements) is classified as confidential. For more information on acceptable uses and disclosures of SSNs, refer to BCPS Form #4042 (employee SSNs) and the Code of Student Conduct (student and parent SSNs). 5. Responsible Administration: Unless there is a critical need to do so, Server Administrators, including the Information and Technology Department staff, are prohibited from viewing or otherwise manipulating user files on the users network folder and local drive without the permission of the user or the approval of appropriate administrative, legal or police personnel. Critical need is defined as faulty system function, virus/malware activity, illicit hacking or Internet activities, pornographic or other offensive material activity, or other violations of District policies. These policies include, but are not limited to, the School and District Technology Usage Policy, the Policy, the Copyright Policy, the Information Security Guidelines or any other District policy, Board rule or directive relating to user conduct. 6. Disclosure: BCPS will disclose information, including personally identifiable information, data acquired by cookies, , and other data, where required by a subpoena, interception order or other lawful process. BCPS also reserves the right to disclose such information when we believe, in our sole judgment and to the extent consistent with applicable law, that such disclosure is necessary to protect the rights or safety of others. 7. Criminal Justice Information (CJI): Criminal Justice Information refers to data necessary for law enforcement agencies to perform their mission and enforce the laws, including but not limited to: biometric, identity history, person, organization, property (when accompanied by any personally identifiable information), and case/incident history data. Broward District Schools Police Department is responsible for the proper handling of CJI in accordance with the regulations set forth within the CJIS Security Policy CJISD-ITS-DOC available on Access control mechanisms to enable access to CJI shall be restricted by object and put in place to prevent multiple concurrent active sessions for one user id. Access controls shall be in place to ensure that only authorized personnel can add, change, remove devices and remove or alter programs. CJI systems will only be accessed on approved devices and never by BYOD or other district systems. 3.3 System Backup / Disaster Recovery System data should be backed up regularly. It is good business practice to store backed-up data in a secure offsite location. Backup media should never be stored in the same vicinity as the server and should, at the very least, be placed in a waterproof container, in a secure location. Each department or school should periodically perform a recovery of test data to verify the procedure and validity of backups. Being prepared will make the recovery of data due to catastrophic loss a smoother process. Policies should specify the frequency of backups (e.g., daily or weekly, incremental or full), based on data criticality and the frequency that new information is introduced. As a generic setting, all servers 4 P a g e

5 are set up with the following backup scheme. Full backups every Friday on alternating tapes and Differential backups each other workday using a different labeled tape for each day of the week. Two Friday tapes provide some level of full backup reaching back two weeks. Data may be backed up on hard disk, magnetic disk, tape, or optical disks (such as compact disks [CDs] or DVDs). The specific method chosen for conducting backups should be based on system and data availability and integrity requirements. 4.0 BCPS Network Systems Security Network systems include any local area network (LAN), wide area network (WAN), dial-up, VPN, Internet, servers, server connections, network appliances, switches, routers, lines, software, and data. The security must include both physical and logical layers of protection 1. Windows servers should be upgraded, at a minimum, to the Windows 2003 operating system. Microsoft no longer supports Windows NT and will not provide fixes or reports for vulnerabilities. 2. Apple servers should be upgraded, at a minimum, to OSX 10.5 to take advantage of higher levels of security. 3. Windows desktops should be migrated, at a minimum, to Window 7 to take advantage of higher levels of security. 4. Apple desktops should be migrated, at a minimum, to OSX 10.5 to take advantage of higher levels of security. 5. Timely installation of patches to all operating systems are required to help ensure that the vulnerabilities exploited by malware, viruses and Trojans are eliminated as the vendor uncovers and patches them. 6. The Information and Technology Department maintains the intrusion prevention system and enterprise firewall to prevent unauthorized access to the BCPS network. Exceptions requiring access from the outside must be documented by filling out a firewall modification request via CAB. Information and Technology Department /JDL will keep firewall audit logs and review them daily for illicit activity against the firewall. 7. Remote access into the BCPS network requires network authorization and access authentication. Users must adhere to Broward Schools VPN Guidelines. 8. Games, chat sessions, peer-to-peer (P2P) and instant messenger applications are prohibited on the BCPS network unless there is a legitimate educational purpose and prior approval. Chat and instant messenger applications can tie up a great deal of bandwidth and may be used by students for many illicit purposes. Use of such applications must be regulated and student use properly monitored. In particular, students can easily be put in contact with persons who may be a threat to their safety. Student users shall not agree to meet or meet with someone they have met online without parental approval. 5 P a g e

6 Student users shall promptly disclose to their teacher or another school employee any message the user receives that is inappropriate or makes the user feel uncomfortable. 9. BCPS Board rules/directives/standards and Federal, State and Local Laws regarding the following topics must be read and followed at all times: a. BCPS School and District Technology Usage policy: Policy 5306 b. BCPS Board rule regarding Copyright: Policy 6318 c. BCPS Board rule regarding staff use of District systems: d. BCPS Protected Health Information : Policy 4019 e. BCPS Student Records: Confidentiality and Family Educational Rights : Policy f. FERPA - ( 20 USC 1232g) and Florida Statutes and g. HIPPA (45 CFR parts ) h. Public Records law Florida Statute MPEG files (including the MP3 and MP4 formats) are audio and video files digitized and/or compressed into a format that can be read and transferred by a computer. Downloading or storing files of these or any other formats that do not have any educational value is prohibited. These files, though greatly compressed, are still fairly large and can tie up a great deal of bandwidth and computer storage. In addition, many have been illegally copied and infringe on copyrights owned by the artists and record/movie companies. Streaming audio and video is a similar type of data but it is being sent in a continuous stream directly to the computer s media player rather than as a file for storage. This sort of streaming content uses large amounts of District bandwidth and, like the mpeg files mentioned above, may involve copyright infringement. For these reasons, streaming audio and video is also prohibited unless it has a valid educational purpose. 11. District-wide security initiatives such as McAfee E-Policy Orchestrator (EPO) anti-virus software and LANDesk patch management software must be complied with on all network connected District computers. LANDesk agents are mandatory and will be placed on all devices on the network to assist in patch management, technical assistance and software compliance. All software should be updated with patches and service packs provided by the manufacturer as they become available, especially if there is a security enhancement. Users should be aware that although these updates are tested before applying to production systems, occasionally patches are released before all the bugs have been detected and removed. With the wide array of system configurations and applications in use throughout the district, is it nearly impossible to test a patch in every situation. Patches that cause a problem should be reported to the Information and Technology Department so that alternate remediation methods can be applied. 12. Users should never load software or register at a web site using District computers without carefully reading the End User License Agreement (EULA). Free software, in particular, often comes with the understanding that 6 P a g e

7 spyware and/or ad-ware will be loaded on your machine. This kind of software runs in the background and allows others to watch what you do on your computer and install software on your computer without your knowledge. Spyware and ad-ware can also be loaded on your machine when you visit some web sites. Be sure that your browser preferences are set so that software cannot be loaded on your computer without notifying you. 13. The use of remote access services such dial-in technology with a modem is prohibited unless authorized by the Information and Technology Department. This provides a "back door around network security by giving users a direct connection to a remote server. If remote access is authorized and sensitive/confidential data is to be transmitted, the line must be secured by Virtual Private Network (VPN), Secure Socket Layer (SSL), or some other technology that encrypts the data so that it is never transmitted in clear text. Hackers using sniffer technology often scan transmission lines looking for data they can use. 14. The use of communications software that provides the ability to remotely "take over" a network connected PC is prohibited unless authorized by the Information and Technology Department. Examples of this type of software are built-in Windows Remote Desktop Connection, VNC or GoToMyPC. If it is used, it should be strictly controlled by the local administrator and user. It should be turned on only when support is needed (and the user has given permission, if applicable) and immediately turned off once the support has been provided. LANDesk and Apple Remote Desktop are the management tools of choice and have been authorized by the Information and Technology Department provided that they are used in a secure fashion. 15. Hacking software has been designed to allow unauthorized persons to infiltrate computers on the network, view and modify data, spy on a user s keystrokes in an effort to get user ids and passwords. The Information and Technology Department reserves the right to randomly scan or monitor any computers attached to the BCPS network in an effort to detect the presence of any "hacking software" or irregular operations that may be present on the network. The Information and Technology Department also reserves the right to disconnect any device or user on the network that appears to pose a threat. 16. Network Scanning tools are not permitted unless approved by the Information and Technology Department: a. Improper use of scanning tools can corrupt system files, user account information and databases. b. Hackers generally start their illicit activities by scanning networks searching for unprotected resources with these tools. c. Any scan of the BCPS network may appear to be the work of a malicious entity. d. Scanning anywhere in the BCPS WAN is traceable to the source and those responsible can be identified. 7 P a g e

8 17. Cracked software is software that has had internal security broken (cracked) and has been made available to others by illegal means. Cracked software is strictly prohibited. 18. To meet Children s Internet Protection Act (CIPA) regulations, BCPS Internet content filtering technology limits the kinds of Internet sites that can be viewed on the BCPS Internet connection. Pornography sites, sites advocating violence or bigotry, sites with games, hacking tools, and cracked software are examples of what will be blocked. There will be no bypassing of the BCPS Internet content filtering without the Information and Technology Department authorization. Software that bypasses filtering and other data security mechanisms is prohibited. Internet content filtering audit logs showing Internet activity and sites visited by users may be reviewed at any time. Site administrators reserve the right to block any sites deemed by them to be inappropriate to their individual site. 19. Administrative computers are defined as non-classroom computers used for BCPS business functions, computers holding or accessing student academic and demographic data, computers where staff and staff tasks are stored and/or viewed. Administrative computers should be kept physically and virtually separate from instructional computers. Students are not to have access, either physical or virtual, to production servers or any administrative computers. 20. Every effort should be made to secure classroom machines on which student testing, test grading and evaluation, grade book activities and staff functions are carried out. Security includes installing application passwords and timeouts, up-to-date anti-virus software, installation of the LANDesk patch management agent to ensure the computer has the most recent software and operating system security patches, separate computers for teacher-only access, where possible. 21. All administrative computers and server consoles that are used to access or control sensitive data must have a screen saver timeout and password after a 20 minute period of inactivity or some other lockout mechanism to prevent unauthorized persons from accessing these environments. If needed, these computers may also have boot up passwords for increased security. 22. Outside access to BCPS networks should only be through hardened web servers. This means that web servers should have no other applications running on them that may require a decrease in security settings. Publicly accessible servers should exist on the De-Militarized Zone (DMZ) where access rules can be put into place to protect internal BCPS network resources should that server become compromised. 23. Every request for administrative rights on any machine on the Broward School s network will be carefully reviewed by IT Security. Special attention is paid to any device that will be accessible to the public. 24. Personally owned computing devices such as desktops, laptops, Personal Digital Assistants (PDA), or portable/removable storage devices/media such as USB jump drives should not be connected to any BCPS network without network administrator/site supervisor approval and accompanied by a signed 8 P a g e

9 acknowledgement form in which the individual agrees to abide by certain operational criteria explained on standard Personally Owned Devices Guideline forms. These devices may carry applications, configurations, malware or viruses that could pose a risk to the network or may be used to remove data from the network. The owner of the personal device will take on the responsibility of making that device compliant with the BCPS Information Security Guidelines before connecting to the BCPS network. BCPS does not provide technical support for personal computers. See the BCPS Personally Owned Devices Guidelines for details. 25. Devices like routers, hubs, switches, firewalls, wireless access points, other network devices, modems, alternative cabling or Wi-Fi connectivity solutions, whether personally or District owned, should not be installed without prior approval from the site supervisor and the Information and Technology Department. Once approved, techs are required to bring these devices into compliance with these standards. The Information and Technology Department reserves the right to randomly scan or monitor for the presence of insecure devices connected to BCPS networks. The Information and Technology Department also reserves the right to disconnect any device that appears to pose a threat to the BCPS network. 26. The Information and Technology Department has the right to uninstall and ban the use of any application or device that cannot be upgraded, updated or patched to eliminate known security vulnerabilities. Machines maintained by the Information and Technology Department to provide any kind of specialized services are not exempt from this practice. 27. Network file shares should not be used for storing personal pictures and videos, and music files. 28. BCPS authorized staff must not install any hardware or software that compromises data, passwords, applications, or any other computer-related BCPS assets unless authorized to do so by the Information and Technology Department. Staff should also be careful not to expose sensitive data using the file-sharing capabilities of their computer. 29. Unlicensed copies of software are not to be installed or used on BCPS devices. 30. Security reviews to monitor employee and vendor access will be performed daily. These will include but are not limited to a review and restriction of super-user, system-level, root and administrative accounts. Security reviews will also be performed for all network devices. 31. Installation of FTP services is strictly prohibited unless approval is granted by the Information and Technology Department. Anonymous FTP is strictly prohibited. 32. Installation of WEB services is prohibited unless approval is granted by the Information and Technology Department. 33. Use of social networking and community based websites must be for legitimate educational purposes. Use of such online communities must be regulated and student use properly monitored. In particular, students can easily be put in contact with content and persons who may be a threat to their 9 P a g e

10 safety. Users must be aware of online safety and responsible online expression when posting content to any website. 4.1 Active Directory BCPS authentication and authorization for network resources will be served from the browardschools active directory. All sites will be under this single domain. 1. The Information and Technology Department has established and maintains the Windows 2008 root Active Directory for BCPS and determines local and group policy settings. 2. Creation of user accounts within the active directory will be done by an automated process sourced by TERMS and SAP. 3. Group membership is automated by role based assignment and membership revoked upon location transfer. 4. User accounts are automatically disabled when a user is no longer associated with the district such as at time of retirement, termination, transfer or graduation. 5. All servers will be added to the Information and Technology Department established Active Directory forest. 6. All district owned end user devices will be joined to the domain. 7. Apple Xserves will be bound to active directory in a hierarchical authentication model with OpenDirectory integration, where applicable. 8. Domain Controllers at the local site are under the Information and Technology Department authority and are not to be managed in any way by the local administrators without prior approval of the Information and Technology Department. 9. Local administrators will have the capability to perform all account management and computer management tasks for entities within their own Organizational Unit. User account management is limited to password resets and group memberships. 10. The Information and Technology Department will have Enterprise Administrator rights to all Organizational Units in the District forest. 11. The Information and Technology Department will have the ability to create/modify group policies for all Organizational Units. 12. The Information and Technology Department will provide advanced notification of group policy changes. 13. Local administrators will have the capability to create group policies within their own Organizational Unit. 4.2 Wireless Network Connections Wireless network components have become a very attractive alternative to cabling due to their low cost, support for mobility, and relative ease of installation. If installed without proper security, however, they pose the same threat to Broward Schools informational assets as if a hacker was able to plug directly into one of Broward Schools network jacks. 10 P a g e

11 As with any components of the BCPS computer system, all security precautions must be taken on portable devices such as laptops, notebooks and cell phones tablets to ensure that the informational assets of the District are not put at risk. Portable devices require extra attention because physical security for these devices is much more difficult to achieve. Users must be aware of the ease with which laptops and especially smartphones can fall into the wrong hands due to their small size and portability, and the resulting loss of security. Users should observe the following: 1. Network installations with wireless components must maintain the highest appropriate level of security. At the very least, encryption should be turned on, membership should be limited to those having id s defined as being authorized to join the network or having the correct network name and key, and all default passwords should be changed. 2. The Information and Technology Department must be informed of all District wireless installations. 3. All wireless installations must be enterprise capable. This allows configuration and management to be handled remotely. 4. Site supervisors and techs should check that other staff does not install rogue devices without approval and/or correct security settings. These devices become open doors to hackers seeking to get into the network. 5. Houses and businesses around a site may provide accidental associations with their networks. Care should be taken to avoid tapping into outside wireless networks. 6. Wireless log files shall be reviewed monthly. The Information and Technology Department reserves the right to randomly scan or monitor for the presence of insecure wireless devices connected to BCPS networks. 7. The Information and Technology Department reserves the right to disconnect any wireless device that appears to pose a threat to the BCPS network. 8. The Information and Technology Department is authorized to scan for unauthorized or unsecured wireless devices and remove these devices from the network. 9. Use of power-up and activity timer passwords is recommended on tablets and notebooks. 10. All portable devices are susceptible to viruses and therefore should have antivirus software installed where applicable. It should be set to scan s and attachments as well as regular files if available. Timely installation of patches to the operating system will help ensure that the vulnerabilities exploited by viruses and Trojans are eliminated as the vendor uncovers and patches them. 11. Communications with the network via the Internet or Intranet must be secure and should require a valid network id and password. 12. Network passwords are not to be saved on the device, but must be retyped with each network logon. Passwords should never be written or otherwise stored on the device itself or the carrying case. 13. Mobile devices should never be left unsupervised in a location with public access. 11 P a g e

12 4.3 Portable Storage Media There are times when the use portable media is necessary to support a user population that is mobile or working remotely. Storing data outside the protections of the network is a potential source of risk. Portable media can provide a vector for the introduction of viruses, malware or malicious content which would otherwise have been blocked by perimeter security devices. Caution must be taken when the use of portable media is unavoidable, the following guidelines help mitigate some of the associated risk. 1. Portable Storage Media such as USB drives, CD/DVDs, Flash memory, and other portable devices are at risk to loss or theft and must be protected at all times. 2. Users should avoid using portable media or portable devices such as tablets/ laptops to store sensitive data and if unavoidable, the sensitive data must be encrypted. Encryption is a way of encoding information in such a way that only the person with the key or password can decode it. The passwords used to encrypt documents should not be kept in the same location with the document nor ed to the recipient within the same correspondence. 3. Sensitive data should only be copied to a portable storage media upon proper approvals and users must take reasonable measures to protect that device from loss or theft. 4. Portable storage media should be physically labeled with contact information so that it can be returned to owner if found. 5. Extra care must be taken to ensure that all computers with which the portable storage is shared are up-to-date with operating system patches and antivirus. It is easy to spread viruses or introduce viruses to other networks via portable storage media. 6. Antivirus should be used to scan the portable storage media device before each use. 7. Loss or theft of a portable storage media device containing sensitive data must be reported immediately. 8. Data must be purged from portable media device when it is no longer needed and upon retirement or disposal of the device. 5.0 Disposal of Equipment / Physical Media When equipment becomes obsolete or no longer usable, it is important to ensure that data that has been deleted or sanitized so it is not easily recoverable. Sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed. Physical Media, such as paper copies, sensitive in nature should be shredded and destroyed before disposal. 1. Due to the diverse nature of the data stored on hard drives, removable media, and other storage devices, it is necessary to ensure proper media disposal to prevent unauthorized use after removal from service. 2. Sensitive data on damaged devices should always be cleaned if at all possible before the device is sent to a repair facility. 12 P a g e

13 3. Data and software licensed to SBBC must be removed from Storage Devices when they are moved or retired from service. Storage devices are found in but not limited to: Servers, Desktops, Laptops, Handheld Devices, Phones, Tablets, Network Switches, Routers, Printers, External Hard Drives, USB Flash drives. 4. Ensuring adequate destruction of data is the responsibility of the site that owns the equipment. 5. Physical media (paper copies) shall be securely disposed of when no longer required, using formal procedures. Formal procedures for the secure disposal or destruction of physical media shall minimize the risk of sensitive information compromise by unauthorized individuals. Physical media shall be destroyed by shredding or incineration. Agencies shall ensure the disposal or destruction is witnessed or carried out by authorized personnel. 6.0 Staff Security Responsibilities BCPS authorized staff have the following security responsibilities: 1. All authorized staff members are responsible for protection of BCPS assets, including computers and data. 2. BCPS computer equipment is for BCPS business and educational functions only. It is not to be used for unauthorized activities. 3. Users are responsible for maintaining the confidentiality of their user credentials. 4. Authorized staff will not use or reveal specific network infrastructure information except in an official need-to-know capacity. This data includes but is not limited to router/switch configurations, IP addresses, protocols, and access lists. This information can be used by hackers seeking to gain illicit entry into the network and the more people who have this information the greater the chance of exposure to persons with bad intentions. 5. Staff must see to it that students or other unauthorized persons never have physical or virtual access to servers and administrative computers anywhere at their location. Before leaving a computer unattended even for a minute, log off or lock the computer to prevent unauthorized use. 6. Personally owned licensed software must be approved by local administration before being installed on BCPS equipment. The software must have legitimate business or instructional functions. Proof of licensing must be presented to the local administrator and should be kept on file at the site along with the licenses of District-owned software installed. 7. Users are not to engage in any activities that might compromise computer assets belonging to BCPS. 8. Users must not use BCPS computer assets to access and inappropriately use networks outside of the BCPS network. 9. Users who subscribe to outside providers, such as AOL or Hotmail, for their e- mail services must also load and maintain current versions of anti-virus software with settings to check attachments for infection. 10. Users are only allowed to view and/or use those applications for which they have been authorized by their supervisor or other BCPS-designated authorizing 13 P a g e

14 staff. The specific functions for which users are to be authorized are determined and/or approved by the site supervisor or designee. End users by default will not have administrator rights over the local workstation unless specifically required. 11. Site supervisors are responsible for ensuring that all policies are observed. 12. Site supervisors are also responsible for informing authorized staff and users of these guidelines and staff security responsibilities. 13. Authorized staff should be informed of BCPS computer security standards. New or recently authorized staff should be informed during orientation. Use of BCPS equipment and/or networks constitutes acceptance of these policies. 14. Any authorized staff approached with a proposition to violate these standards should notify their supervisor and/or the Information and Technology Department. This also applies to any authorized staff observing any activity that may be a violation of these standards. 15. Stolen computer equipment must be reported to the site supervisor and network administrator immediately so that steps can be taken to protect the network from unauthorized access. 16. It is the responsibility of all staff to protect Broward Schools students from inappropriate material, especially on the Internet. The District makes every effort to filter inappropriate content but in this ever growing industry where new sites are published every second, it is hard to keep ahead of the game. The BCPS School and District Technology Usage Policy delineates the proper use of the Internet by students and staff and defines that viewing content which is offensive, obscene or otherwise inappropriate is prohibited. Inappropriate sites must be reported to the Information and Technology Department immediately. Any staff member who discovers students accessing inappropriate sites should report this activity and there should be penalties for repeated abuse of the Acceptable Use Policy. Content that is not necessarily offensive for all audiences, but that is deemed inappropriate for an individual school can be blocked pending the Principal/Director s approval. 17. Vendors or other outside agencies seeking access to BCPS equipment or data are to be informed of these standards and the Information and Technology Department network administrators should be notified. 6.1 User-ids and Passwords Regarding user-ids and passwords: 1. No one is permitted to access BCPS networked computers without a user-id and password. 2. Users are responsible for all activity associated with their user-id. 3. User-ids may be disabled when an incorrect password has been entered an excessive number of times within an appropriate period. 4. User-ids will be revoked on all computer platforms when the user is terminated or transferred. 5. User-ids may be revoked, cancelled, or suspended at any time. 6. A User-id may be revoked or cancelled if it has not been used for 120 days. 14 P a g e

15 7. Student user-ids will consist of the TERMS Student ID number. 8. Staff user-ids will be the employee personnel number proceeded by a P. 9. Passwords will be at least 8 characters long Must contain at least one alphabetic and at least one numeric character Must contain at least one alphabetic special or punctuation character (if supported by the host system/application) 10. Passwords must be changed at least every n days, where n is the least number of days when considering all of the managed targets password expiration settings. It is recommended that passwords change at least every 90 days. 11. Last 10 passwords in the password history must not be reused 12. Passwords must not contain three or more of the same character in succession (if supported by the system/application.) 13. Users are requested to refrain from using common passwords (i.e. first name, last name, spouse or pet names, school nicknames, the word password, any word found in the dictionary, not same as userid) 14. Users may change their password at any time. 15. If users suspect the confidentiality of their password has been compromised, they must change their password immediately. If they are unable to change the password themselves, they should contact their supervisor or appropriate staff at the Information and Technology Department to have the reset performed. 16. Staff must not engage in any activity that may reveal or otherwise compromise their own or another user s password. 17. There is to be no auto-caching of passwords. This means that the password is to be retyped each time the user logs in to the network or application. 18. Under no circumstances should any individual, including supervisors, ask for any other individual s password, unless under penalty of law. 19. Avoid transmitting or storing passwords in clear text whenever possible. If available, password encryption should be turned on. 20. Passwords should not be displayed when entered. 21. Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "Broward County Schools is #1!" and the password could be: "BcS1s#1!" (<-- Don't use that as your password either) 22. Here is a list of "dont's" for passwords: Don't reveal a password over the phone to ANYONE Don't reveal a password in an message Don't reveal a password to the boss Don't talk about a password in front of others Don't hint at the format of a password (e.g., "my family name") Don't reveal a password on questionnaires or security forms Don't share a password with family members Don't reveal a password to co-workers while on vacation 15 P a g e

16 6.2 Personal Data Many potential data protection issues can be alleviated if personal data is handled appropriately and deleted when no longer needed. 1. Personal data, such as date of birth and social security numbers, are to be accessible only where necessary for specific job functions. 2. Personal data should be adequate but not excessive in relation to the purpose for which they are processed, and will not be further processed in any manner. 3. Personal data should not be downloaded to local workstation unless absolutely needed and in such cases must be password protected and encrypted. 4. Personal data processed or accessed for any purpose should not be kept longer than is necessary. 5. Personal data that is not accessed regularly, but which still needs to be retained, should be safely archived or put offline. 7.0 Device Naming Standards Desktop Workstations Location-room-device (e.g., ) Laptops Location-room-L# (e.g., L1, L2, etc.) Leased Laptops Location-Serial Number (e.g., H52012MSE7, 0011-G3GJ911) Virtual Machines Host Computer Name VM (e.g.,host: ; Virtual Name: VM) Wireless Cart Laptops Location#-WCART01-## (e.g., 0011-WCART01-01, 0011-WCART01-02, etc.) Printers Location-room-P# (e.g., P1, P2, etc.) Server - Windows Member server names are derived by a three letter ship-to code (represented by XXX below) appended with CB or MS and sequential number starting at one. (e.g.,xxxcb01 or XXXMS01) Domain controllers will have AD and a sequential number appended to the three letter ship to code. (e.g., xxxad01) Server Apple Ship-to-code + xserve + device# (e.g., CBHXSERVE01 where CBH is the ship to code for Cypress Bay High, xserve, 01 is the first of its type) Wireless Access Points SHIP-TO-CODE-Cart1 (e.g., OBECart1, where OBE is the Ship-to-Code for Orange Brook ES and Cart 1 is the first cart, OBE-Cart2, etc.) 16 P a g e

17 8.0 DHCP Standards The use of Dynamic Host Configuration Protocol (DHCP) to assign IP addresses is becoming a standard in many sites. The following should be the foundation for a proper deployment of DHCP: 1. DHCP service should be provided by a Windows 2003 or 2008 server with latest service packs and updates. 2. All DHCP leases must be logged to include MAC (physical) address and Device Name. 3. DHCP logs must be backed up and information contained within the logs retrievable for no less than one year. 4. Lease duration should be set to allow the maximum lease time possible for the population of a given scope. Default lease time is set to 60 days. 5. Site administrators must be able to pinpoint the location of an IP address at any given time and also track where that IP has been in the past. 6. DHCP may be used to configure devices with other options such as WINS, DNS, and VOIP options. 7. DHCP scopes may include approved reservations and exclusions when needed for business use. 9.0 Ongoing Security Guideline Maintenance The Information and Technology Department will periodically assess the guidelines, review any change in system status, functionality, design, etc., and ensure that the plan continues to reflect the correct information about the system. The Information and Technology Department is responsible for periodically reviewing these information security guidelines to ensure that BCPS data is provided adequate protection. All BCPS departments and schools should keep abreast of the latest changes in security for software unique to their site and notify the Information and Technology Department of security changes. Some items to include in the review are: 1 Change in information system owner; 2 Change in information security representative; 3 Change in system architecture; 4 Change in system status; 5 Additions/deletions of system interconnections; 6 Change in system scope; 7 Change in authorizing official The latest version of the Information Security Guidelines will be posted to and to District Announcements in the CAB system Standards Compliance Keeping Broward Schools students safe online, teaching them to use digital tools and content in an ethical and responsible manner, and ensuring Broward Schools network and devices are secure are basic tenets of school and district professionals. The only way to ensure that Broward Schools network is secure 17 P a g e

18 is for all users to abide by security guidelines. The Information and Technology Department reserves the right to audit BCPS locations for compliance with these security guidelines. Failure to comply with this or any BCPS computer security policy or standard will result in further action as per school board policies. References: Revision History 1.5 January 8, March 20, July 16, September 15, October 6, May 23, November 17, July 3, March 20, April 9, April 12, February 7, April 4, P a g e

Network and Workstation Acceptable Use Policy

Network and Workstation Acceptable Use Policy CONTENT: Introduction Purpose Policy / Procedure References INTRODUCTION Information Technology services including, staff, workstations, peripherals and network infrastructures are an integral part of

More information

Responsible Access and Use of Information Technology Resources and Services Policy

Responsible Access and Use of Information Technology Resources and Services Policy Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong

More information

51 JS-R STUDENT USE OF INFORMATION TECHNOLOGY RESOURCES

51 JS-R STUDENT USE OF INFORMATION TECHNOLOGY RESOURCES Page 1 of 5 Purpose This regulation implements Board policy JS by setting forth specific procedures, requirements and restrictions and conditions governing student use of District Information Technology

More information

DHHS Information Technology (IT) Access Control Standard

DHHS Information Technology (IT) Access Control Standard DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

HIPAA Security Training Manual

HIPAA Security Training Manual HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Boston Public Schools. Guidelines for Implementation of Acceptable Use Policy for Digital Information, Communication, and. Technology Resources

Boston Public Schools. Guidelines for Implementation of Acceptable Use Policy for Digital Information, Communication, and. Technology Resources Boston Public Schools Guidelines for Implementation of Acceptable Use Policy for Digital Information, Communication, and Scope of Policy Technology Resources ACCEPTABLE USE POLICY AND GUIDELINES Boston

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy I. Introduction Each employee, student or non-student user of Greenville County Schools (GCS) information system is expected to be familiar with and follow the expectations and requirements

More information

Course: Information Security Management in e-governance

Course: Information Security Management in e-governance Course: Information Security Management in e-governance Day 2 Session 2: Security in end user environment Agenda Introduction to IT Infrastructure elements in end user environment Information security

More information

Technology Department 1350 Main Street Cambria, CA 93428

Technology Department 1350 Main Street Cambria, CA 93428 Technology Department 1350 Main Street Cambria, CA 93428 Technology Acceptable Use and Security Policy The Technology Acceptable Use and Security Policy ( policy ) applies to all CUSD employees and any

More information

13. Acceptable Use Policy

13. Acceptable Use Policy To view the complete Information and Security Policies and Procedures, log into the Intranet through the IRSC.edu website. Click on the Institutional Technology (IT) Department link, then the Information

More information

OHIO VALLEY EDUCATIONAL COOPERATIVE TECHNOLOGY ACCEPTABLE USE POLICY

OHIO VALLEY EDUCATIONAL COOPERATIVE TECHNOLOGY ACCEPTABLE USE POLICY OHIO VALLEY EDUCATIONAL COOPERATIVE TECHNOLOGY ACCEPTABLE USE POLICY 03.13211 Referenced by OVEC Policy Manual and OVEC Employee Handbook Version 2.0.0 2/12/2014 Section headings: 1. Introductory paragraph

More information

MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY

MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY MEMORANDUM TO: FROM: RE: Employee Human Resources MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY Please find attached the above referenced policy that is being issued to each

More information

DEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE

DEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE 2 of 10 2.5 Failure to comply with this policy, in whole or in part, if grounds for disciplinary actions, up to and including discharge. ADMINISTRATIVE CONTROL 3.1 The CIO Bureau s Information Technology

More information

a) Access any information composed, created, received, downloaded, retrieved, stored, or sent using department computers.

a) Access any information composed, created, received, downloaded, retrieved, stored, or sent using department computers. CAYUGA COUNTY POLICY MANUAL Section 11 Subject: Electronic messaging and internet 1 Effective Date: 5/25/10; Res. 255-10 Supersedes Policy of: November 28, 2000 Name of Policy: County Computer Hardware-Software

More information

Pierce County Policy on Computer Use and Information Systems

Pierce County Policy on Computer Use and Information Systems Pierce County Policy on Computer Use and Information Systems Pierce County provides a variety of information technology resources such as computers, software, printers, scanners, copiers, electronic mail

More information

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY Effective December 15, 2008 State of Illinois Department of Central Management Services Bureau

More information

Reynoldsburg City Schools Computer and Technology Acceptable Use Policy Staff, Volunteers and Students

Reynoldsburg City Schools Computer and Technology Acceptable Use Policy Staff, Volunteers and Students Reynoldsburg City Schools Computer and Technology Acceptable Use Policy Staff, Volunteers and Students AUP Sections 1. Acceptable Use 2. Privileges 3. Internet Access 4. Procedures & Caveats 5. Netiquette

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Cyber Security Awareness

Cyber Security Awareness Cyber Security Awareness User IDs and Passwords Home Computer Protection Protecting your Information Firewalls Malicious Code Protection Mobile Computing Security Wireless Security Patching Possible Symptoms

More information

Authorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together

Authorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together Groby Community College Achieving Excellence Together Authorised Acceptable Use Policy 2015-2016 Reviewed: Lee Shellard, ICT Manager: May 2015 Agreed: Leadership & Management Committee: May 2015 Next review:

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014 Tenth Judicial Circuit of Florida Information Systems Acceptable Use s Polk, Hardee and Highlands Counties as of January 2014 The following guidelines define the acceptable use of information technology

More information

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users Table of Contents... 1 A. Accountability... 1 B. System Use Notification (Login Banner)... 1 C. Non-... 1 D. System Access... 2 E. User IDs... 2 F. Passwords... 2 G. Electronic Information... 3 H. Agency

More information

TIME SYSTEM SECURITY AWARENESS HANDOUT

TIME SYSTEM SECURITY AWARENESS HANDOUT WISCONSIN TIME SYSTEM Training Materials TIME SYSTEM SECURITY AWARENESS HANDOUT Revised 11/21/13 2014 Security Awareness Handout All System Security The TIME/NCIC Systems are criminal justice computer

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

Information Technology Security Policies

Information Technology Security Policies Information Technology Security Policies Randolph College 2500 Rivermont Ave. Lynchburg, VA 24503 434-947- 8700 Revised 01/10 Page 1 Introduction Computer information systems and networks are an integral

More information

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY OBJECTIVE To provide users with guidelines for the use of information technology resources provided by Council. SCOPE This policy

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Franciscan University of Steubenville Information Security Policy

Franciscan University of Steubenville Information Security Policy Franciscan University of Steubenville Information Security Policy Scope This policy is intended for use by all personnel, contractors, and third parties assisting in the direct implementation, support,

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Cyber Security Awareness

Cyber Security Awareness Cyber Security Awareness William F. Pelgrin Chair Page 1 Introduction Information is a critical asset. Therefore, it must be protected from unauthorized modification, destruction and disclosure. This brochure

More information

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change

More information

PHI- Protected Health Information

PHI- Protected Health Information HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson

More information

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious programs,

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

Arkansas Department of Community Correction

Arkansas Department of Community Correction Service with Excellence & Integrity Arkansas Department of Community Correction Two Union National Plaza Building 105 West Capitol, 2 nd Floor Little Rock, Arkansas 72201-5731 (501) 682-9510 Fax: (501)

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

More information

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL 1 INTRODUCTION The County of Imperial Information & Technical Services (ITS) Security Policy is the foundation of the County's electronic information

More information

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the

More information

System Security Policy Management: Advanced Audit Tasks

System Security Policy Management: Advanced Audit Tasks System Security Policy Management: Advanced Audit Tasks White Paper October 6, 2005 2005 Altiris Inc. All rights reserved. ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

Network Security Policy

Network Security Policy KILMARNOCK COLLEGE Network Security Policy Policy Number: KC/QM/048 Date of First Issue: October 2009 Revision Number: 3 Date of Last Review: October 2011 Date of Approval \ Issue May 2012 Responsibility

More information

COMPUTER USE POLICY. 1.0 Purpose and Summary

COMPUTER USE POLICY. 1.0 Purpose and Summary COMPUTER USE POLICY 1.0 Purpose and Summary 1. This document provides guidelines for appropriate use of the wide variety of computing and network resources at Methodist University. It is not an all-inclusive

More information

NETWORK AND INTERNET SECURITY POLICY STATEMENT

NETWORK AND INTERNET SECURITY POLICY STATEMENT TADCASTER GRAMMAR SCHOOL Toulston, Tadcaster, North Yorkshire. LS24 9NB NETWORK AND INTERNET SECURITY POLICY STATEMENT Written by Steve South November 2003 Discussed with ICT Strategy Group January 2004

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

Cyber Security Best Practices

Cyber Security Best Practices Cyber Security Best Practices 1. Set strong passwords; Do not share them with anyone: They should contain at least three of the five following character classes: o Lower case letters o Upper case letters

More information

Medford Public Schools Medford, Massachusetts. Software Policy Approved by School Committee

Medford Public Schools Medford, Massachusetts. Software Policy Approved by School Committee Software Policy Approved by School Committee General Statement of Policy The Medford Public Schools licenses the use of computer software from a variety of third parties. Such software is normally copyrighted

More information

'Namgis First Nation. 1.0 Overview. 2.0 Purpose. 3.0 Scope. 4.0 Policy

'Namgis First Nation. 1.0 Overview. 2.0 Purpose. 3.0 Scope. 4.0 Policy Created: 2/18/2011 Page 1 of 8 'Namgis First Nation is hereinafter referred to as "the government." 1.0 Overview Though there are a number of reasons to provide a user network access, by far the most common

More information

CITY OF BOULDER *** POLICIES AND PROCEDURES

CITY OF BOULDER *** POLICIES AND PROCEDURES CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of

More information

Columbus Police Division Directive. I. Definitions. May 15, 1993 10.01 REVISED. Division Computer Systems

Columbus Police Division Directive. I. Definitions. May 15, 1993 10.01 REVISED. Division Computer Systems Columbus Police Division Directive EFFECTIVE NUMBER May 15, 1993 10.01 REVISED TOTAL PAGES Mar. 30, 2014 9 Division Computer Systems I. Definitions A. Executable File A program or file that automatically

More information

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI Office of Regulatory Compliance 13001 E. 17 th Place, Suite W1124 Mail Stop F497 Aurora, CO 80045 Main Office: 303-724-1010 Main Fax: 303-724-1019 HIPAA Policy 7.1 Title: Source: Prepared by: Approved

More information

The Internet and e-mail 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

The Internet and e-mail 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3 Table of Contents 1 Acceptable use 1 Violations 1 Administration 1 Director and Supervisor Responsibilities 1 MIS Director Responsibilities 1 The Internet and e-mail 2 Acceptable use 2 Unacceptable use

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Student use of the Internet Systems is governed by this Policy, OCS regulations, policies and guidelines, and applicable law.

Student use of the Internet Systems is governed by this Policy, OCS regulations, policies and guidelines, and applicable law. OCS Internet Acceptable Use and Safety Policy for Students The Opportunity Charter School ( OCS or the School ) provides access to OCS s Internet Systems for its students for educational purposes, in conformance

More information

HMIS SECURITY PLAN of the PHILADELPHIA CONTINUUM OF CARE

HMIS SECURITY PLAN of the PHILADELPHIA CONTINUUM OF CARE HMIS SECURITY PLAN of the PHILADELPHIA CONTINUUM OF CARE This plan describes the standards for the security of all data contained in the Philadelphia Continuum of Care Homeless Management Information System

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices 8-27-2015 4-007.1 Supersedes 4-007 Page Of 1 5 Responsible Authority Vice Provost for Information

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

About this Tool Information Security for Residents...

About this Tool Information Security for Residents... About this Tool Information Security for Residents... Purpose: Provide materials to inform and educate Residents in order to reach compliance regarding information security. Audience: New Residents Information

More information

Valmeyer Community Unit School District #3 Acceptable Use Of Computers and Networks

Valmeyer Community Unit School District #3 Acceptable Use Of Computers and Networks Valmeyer Community Unit School District #3 Acceptable Use Of Computers and Networks The Valmeyer Community Unit School District #3 Board of Education supports the use of the Internet and other computer

More information

Valmeyer Community Unit School District #3 Acceptable Use Of Computers and Networks

Valmeyer Community Unit School District #3 Acceptable Use Of Computers and Networks Valmeyer Community Unit School District #3 Acceptable Use Of Computers and Networks The Valmeyer Community Unit School District #3 Board of Education supports the use of the Internet and other computer

More information

Chronic Disease Management

Chronic Disease Management RESOURCE AND PATIENT MANAGEMENT SYSTEM Chronic Disease Management (BCDM) Version 1.0 Office of Information Technology (OIT) Division of Information Resource Management Albuquerque, New Mexico Table of

More information

MEMORANDUM INFORMATION TECHNOLOGY SERVICES DEPARTMENT

MEMORANDUM INFORMATION TECHNOLOGY SERVICES DEPARTMENT MEMORANDUM INFORMATION TECHNOLOGY SERVICES DEPARTMENT TO: John Phillips, City Manager Number: 04-020 SUBJECT: Computer Network, Internet and E-Mail Access Policy Date: 9/903 Attached is copy of the Information

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

Computer Security Policy (Interim)

Computer Security Policy (Interim) Computer Security Policy (Interim) Updated May, 2001 Department of Information Systems & Telecommunications Table of Contents 1. SCOPE...1 2. OVERVIEW...1 3. RESPONSIBILITIES...3 4. PHYSICAL SECURITY...4

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

University of Northern Colorado. Data Security Policy for Research Projects

University of Northern Colorado. Data Security Policy for Research Projects University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

State HIPAA Security Policy State of Connecticut

State HIPAA Security Policy State of Connecticut Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

EMPLOYEE ACCESS RELEASE AND AUTHORIZATION FORM MCS warehouse form No. 14197

EMPLOYEE ACCESS RELEASE AND AUTHORIZATION FORM MCS warehouse form No. 14197 (Return this page to the Executive Staff member or Principal) MEMPHIS CITY SCHOOLS EMPLOYEE ACCESS RELEASE AND AUTHORIZATION FORM MCS warehouse form No. 14197 As a condition of using the MCS network, I

More information

On-Site Computer Solutions values these technologies as part of an overall security plan:

On-Site Computer Solutions values these technologies as part of an overall security plan: Network Security Best Practices On-Site Computer Solutions Brian McMurtry Version 1.2 Revised June 23, 2008 In a business world where data privacy, integrity, and security are paramount, the small and

More information

NETWORK SECURITY GUIDELINES

NETWORK SECURITY GUIDELINES NETWORK SECURITY GUIDELINES VIRUS PROTECTION STANDARDS All networked computers and networked laptop computers are protected by GST BOCES or district standard anti-virus protection software. The anti-virus

More information

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...

More information

Riverside Community College District Policy No. 3720 General Institution

Riverside Community College District Policy No. 3720 General Institution Riverside Community College District Policy No. 3720 General Institution BP 3720 COMPUTER AND NETWORK USE References: Education Code Section 72400 Penal Code 502 17 U.S. Code Sections 101, et seq. It shall

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

NC DPH: Computer Security Basic Awareness Training

NC DPH: Computer Security Basic Awareness Training NC DPH: Computer Security Basic Awareness Training Introduction and Training Objective Our roles in the Division of Public Health (DPH) require us to utilize our computer resources in a manner that protects

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS 1. Purpose This directive establishes the Department of Homeland

More information

SonicWALL PCI 1.1 Implementation Guide

SonicWALL PCI 1.1 Implementation Guide Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard

More information

Information Technology Acceptable Use Policies and Procedures

Information Technology Acceptable Use Policies and Procedures Information Technology Acceptable Use Policies and Procedures The following Information Technology Acceptable Use Policies and Procedures are to be followed by ALL employees, contractors, vendors, and

More information

Procedure Title: TennDent HIPAA Security Awareness and Training

Procedure Title: TennDent HIPAA Security Awareness and Training Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary

More information

National Cyber Security Month 2015: Daily Security Awareness Tips

National Cyber Security Month 2015: Daily Security Awareness Tips National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.

More information

BRING YOUR OWN DEVICE (BYOD) STUDENT & PARENT GUIDELINES. Version 5

BRING YOUR OWN DEVICE (BYOD) STUDENT & PARENT GUIDELINES. Version 5 BRING YOUR OWN DEVICE (BYOD) STUDENT & PARENT GUIDELINES Version 5 08/25/2015 Table of Contents BYOD Program Overview... 3 What is BYOD?... 3 BYOD Rationale... 3 Overview of BYOD Program... 3 Objective

More information

Appropriate Use Policy Technology & Information

Appropriate Use Policy Technology & Information CLACKAMAS COUNTY EMPLOYMENT POLICY & PRACTICE (EPP) EPP # 59 Implemented: 05/20/10 Clerical Update: Appropriate Use Policy Technology & Information PURPOSE: To establish rules governing use of County information

More information

Security Policy Spring 2010. Information Security Policy

Security Policy Spring 2010. Information Security Policy Information Security Policy April 6, 2010 1 1. Introduction 3 2. General PC Usage and Password Management 3 4. Laptops 5 5. Personal Computer Software 5 6. Remote Access Policy 6 7. Remote Access from

More information

Rules of the Road for Users of Smithsonian Computers and Networks

Rules of the Road for Users of Smithsonian Computers and Networks Rules of the Road for Users of Smithsonian Computers and Networks Introduction Smithsonian systems, networks and other computer resources are shared among Smithsonian employees, interns, visiting scholars,

More information

Appendix H: End User Rules of Behavior

Appendix H: End User Rules of Behavior Appendix H: End User Rules of Behavior 1. Introduction The Office of Management and Budget (OMB) has established the requirement for formally documented Rules of Behavior as set forth in OMB Circular A-130.

More information

Delaware State University Policy

Delaware State University Policy Delaware State University Policy Title: Delaware State University Acceptable Use Policy Board approval date: TBD Related Policies and Procedures: Delaware State University Acceptable Use Policy A Message

More information

Did you know your security solution can help with PCI compliance too?

Did you know your security solution can help with PCI compliance too? Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

More information