skip to main content

Policy 3040 - Technology Security

The purpose of this policy is to provide requirements for maintaining the confidentiality, integrity, availability, and accountability of HCPSS technology resources and data. The policy will address protection of HCPSS technology, access controls, technology equipment inventory management, network security, physical security, configuration management, and data security.

Policy Document

I. Policy Statement

The Board of Education of Howard County recognizes the value of technology security throughout the Howard County Public School System (HCPSS). The Board values the need for a clear and consistent technology security policy, in compliance with legal and regulatory mandates, that promotes awareness and communicates expectations for safeguarding and securing HCPSS technology.

II. Purpose

The purpose of this policy is to provide requirements for maintaining the confidentiality, integrity, availability, and accountability of HCPSS technology resources and data. The policy will address protection of HCPSS technology, access controls, technology equipment inventory management, network security, physical security, configuration management, and data security.

III. Definitions

Within the context of this policy, the following definitions apply:

  1. Account Credentials – Any data or object used specifically for the purpose of gaining access (authenticating) to an electronic system, most often a username and password combination.

  2. Authentication – Verification of an individual’s identity through username/password or other mechanism.

  3. Banner Text – The notification sent to a user prior to authentication on a system.

  4. Confidential Data – Individual, fact, statistic or item of information whereby access is restricted based on least privilege.

  5. Data Center – A dedicated area of a building that supplies the electrical necessities and environmental conditions required to operate servers, network technology, and other electronic systems.

  6. Digital Tool – Any website, application (app), or software that requires an account.

  7. Intermediate Distribution Frame (IDF) – A non-primary distribution area for data cables from the main distribution frame.

  8. Least Privilege – The methodology whereby each user is assigned only the appropriate level of access needed for their responsibilities.

  9. Main Distribution Frame (MDF) – The primary distribution area for connecting HCPSS equipment to subscriber carrier equipment.

  10. Network – The means of transmitting data between systems; includes wired and wireless technologies.

  11. Online Resource – Any website, application (app), or software that does not require an account.

  12. Technology – Electronic devices, network infrastructure, or any applications including but not limited to software, online resources, digital tools, social media, and email.

IV. Standards

  1. Protection of HCPSS Technology

    1. The HCPSS reserves the right to take all necessary legal action to protect the confidentiality, integrity, availability, and accountability of its technology.

    2. The HCPSS reserves the right to take all necessary legal action to prevent its technology from being used to attack, damage, harm, or exploit others.

    3. Use of HCPSS technology to gain or attempt to gain unauthorized access to any system or information is prohibited.

    4. The HCPSS reserves the right, in accordance with legal and regulatory mandates, to monitor, archive, audit, or purge the contents of electronic communications, files, and other material created or stored using HCPSS technology, or data transmitted over HCPSS networks.

    5. The HCPSS reserves the right, in accordance with legal and regulatory mandates and as authorized by the Superintendent/Designee, to access or disclose, for investigative purposes, the contents of electronic communications, files, and other material created or stored using HCPSS technology or data transmitted over HCPSS networks.

    6. Failure by any individual using HCPSS technology to comply with this policy will result in the temporary or permanent restriction of technology access privileges, in addition to any applicable disciplinary actions or financial obligations.

    7. The HCPSS will maintain technology security incident response procedures in support of this policy and regulatory mandates including Maryland breach notification requirements.

  2. Access Controls

    1. Individuals using HCPSS technology will authenticate using individual account credentials. Exceptions will be approved by the Superintendent/Designee and documented.

    2. Individuals are prohibited from sharing HCPSS-assigned account credentials unless permitted, in writing, by the Superintendent/Designee.

    3. Individuals are granted access to HCPSS data and resources based on a least privilege methodology.

    4. Access to HCPSS technology, granted by virtue of the individual’s role, will be terminated when the individual’s role is fulfilled or terminated.

  3. Technology Equipment Accountability

    1. All HCPSS technology equipment will be accounted for and tracked by location and functionality in an automated system before distribution.

    2. HCPSS technology equipment will be audited periodically to ensure consistency and accuracy of the automated inventory system.

    3. All HCPSS technology equipment must be disposed of in accordance with the National Institute of Standards and Technology (NIST) published standards.

  4. Network Security

    1. All HCPSS technology networks will be designated as open or restricted.

      1. Restricted HCPSS technology networks will be configured to protect against unauthorized access.

      2. Individuals are prohibited from connecting non-HCPSS technology to restricted HCPSS networks without prior written approval from the Superintendent/Designee.

      3. Individuals may connect non-HCPSS technology to open wireless HCPSS technology networks in accordance with Policy 8080 - Responsible Use of Technology and Social Media.

    2. The HCPSS will employ banner text, where practical, to provide notice of legal rights and responsibilities to individuals using HCPSS technology.

  5. Physical Security

    1. Physical access to data centers, main distribution frames (MDFs), and intermediate distribution frames (IDFs) will be controlled to prevent and detect unauthorized access to these areas. Access to these areas will be granted to those persons who have legitimate responsibilities in those areas.

    2. All data centers will be secured using technologies that monitor individual access and provide auditable access logs.

    3. Individuals responsible for HCPSS technology must take reasonable steps to ensure the physical security of HCPSS technology.

  6. Configuration Management

    1. HCPSS technology systems will be evaluated for appropriate security controls and approved by the Superintendent/Designee.

    2. HCPSS technology systems will be monitored to confirm configuration and to determine the effectiveness of security controls.

    3. Changes to HCPSS technology systems will be evaluated, approved, and documented by the Superintendent/Designee.

  7. Methods for transmitting and storing student education records, personnel records, or confidential data electronically will be reviewed and approved by the Superintendent/Designee.

V. Responsibilities

  1. The Superintendent/Designee will maintain guidelines for secure configuration of HCPSS technology.

  2. The Superintendent/Designee will maintain a process for creating, managing, and documenting account credentials.

  3. The Superintendent/Designee will inform HCPSS technology users regarding the provisions of this policy at least annually.

  4. The Superintendent/Designee will review this policy at least every three years and recommend it for revision as necessary.

VI. Delegation of Authority

The Superintendent is authorized to develop procedures for the implementation of this policy.

VII. References

  • Electronic Communications Privacy Act/Stored Communications Act, 18 U.S.C. §2701-27112

  • Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232(g)

  • Title XVII, Children’s Internet Protection Act, 47 U.S.C. §254(h) and (l)

  • Maryland Personal Information Protection Act, Md. Code Com. Law §§ 14-3501 et seq.

  • Protection of Information by Government Agencies Md.,State Govt. Code §§ 10-1301 to 10-1308

  • The Annotated Code of Maryland, Education Article, §4-131, Student Data Privacy Act of 2015

C. Relevant Data Sources

  • Central Inventory Database

  • Help Desk Database

  • Information Technology Audit Logs

D. Other

  • Data Center Access Procedures

  • HCPSS Device Agreement Form

  • HCPSS Student Code of Conduct

  • Information Technology Change Management Guideline

  • National Institute of Standards and Technology (NIST) Special Publication 800-88

  • Request for Computer User Account Form

  • Technology Security Incident Handling Form

  • The State of Maryland (SOM) Information Security Policy, Version 3.1 Issued February 2013

  • The State of Maryland Information Technology (IT) Disaster Recovery Guidelines, Version 4.0 Issued July 2006

VIII. History

ADOPTED: March 11, 2010

REVIEWED:

MODIFIED:

REVISED: May 9, 2013, June 9, 2016

EFFECTIVE: July 1, 2016