skip to main content

HCPSS / POLICIES

Policy 3040 Implementation Procedures - Technology Security

Policy Document

Implementation Procedures

I. Dissemination of Information

  1. Notification of the provisions of this policy and these implementation procedures will be given annually, and as otherwise required, to all students, families, employees, and service providers. Methods may include:

    1. Publications in school and Howard County Public School System (HCPSS) newsletters, handbooks, and other documents.

    2. Notifications posted in areas that provide access to technology (e.g., media center, computer lab, classrooms, and staff workroom).

    3. Notifications posted on school and HCPSS websites, including but not limited to, the learning management system and the staff communication tool.

    4. Ongoing notification/reviews for students by classroom teachers, media specialists, or other appropriate employees.

    5. Inclusion, whenever possible and appropriate, into the process of accessing digital tools and/or files.

    6. Periodic announcements in schools over the public address system at the beginning of the school year and at other times as appropriate.

  2. Principals are responsible for notifying all students, families, employees, volunteers, contractors, and interns in their schools of the responsibilities of use of HCPSS technology at the beginning of the school year, with reminders as necessary.

  3. Department supervisors are responsible for notifying those under their supervision of the provisions of this policy and these implementation procedures.

  4. The Office of School Facilities is responsible for notifying individuals or organizations seeking to use HCPSS technology as part of an agreement to use school system facilities (Policy 10020 Use of School Facilities) of the provisions of this policy and these implementation procedures.

  5. The Office of Safety and Security in collaboration with the Department of Information Technology and the Office of Strategy and Data Privacy are responsible for providing annual Data Privacy and Security Awareness Training for all HCPSS employees.

  6. Security notifications and advisory information will be published for relevant audiences through various media including but not limited to the learning management system, the staff communication tool, and HCPSS websites.

II. General Procedures

  1. Electronic Communications

    1. Individuals will have no expectation of personal privacy or confidentiality of any electronic communication when using HCPSS technology.

    2. HCPSS technologies that store or transmit employee data, student record data, financial data, or other legally confidential data will implement appropriate authentication and encryption technologies to prevent unauthorized access or modification.

    3. Individuals using HCPSS technology will ensure that both their usage and electronic communications content are in compliance with all other HCPSS policies.

  2. Online Testing

    1. For security purposes, all online testing will be conducted in accordance with the state, local, and vendor-specific guidelines, policies, and procedures.

    2. All data saved to computers and servers for online testing administration and execution will be deleted in accordance with the state, local, and vendor-specific guidelines, policies, and procedures.

  3. Security Vulnerability Assessments

    1. The Superintendent/designee will coordinate annual technology security vulnerability assessments consistent with industry best practices and in compliance with regulatory mandates.

    2. The HCPSS may contract with third party companies or individuals to perform external security vulnerability assessments and penetration tests.

  4. Technology Security Incident Response

    1. All HCPSS technology security investigations will be authorized by the Superintendent/designee.

    2. The HCPSS will monitor HCPSS technology for potential security incidents.

    3. The HCPSS reserves the right to access, record or, if necessary, remove content stored in an individual’s assigned account on HCPSS technology with prior written approval from the Superintendent/designee.

    4. The HCPSS reserves the right to restrict or remove any device suspected of contributing to a security incident.

    5. The Superintendent/designee will document all HCPSS technology security investigations.

    6. The Superintendent/designee will conduct all HCPSS technology security incident investigations in strict confidence.

    7. Investigations into incidents involving a potential breach of an individual’s private data will include the following:

      1. Notifications to individuals will be required if it is determined that an individual’s personal information has been breached and misuse has occurred or is likely to occur.

      2. If 1,000 or more individuals are involved in a breach notification, the HCPSS will also notify each consumer reporting agency as defined by 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notices.

      3. If misuse is not likely to occur, as in cases where the information breached was protected by encryption and there is no evidence the encryption key had been compromised or disclosed, notifications to individuals will not be required.

      4. The HCPSS will maintain records on determinations for data breach notifications for three years after the determination has been made.

  5. Storage Media Handling and Disposal

    1. Access to HCPSS storage media including, but not limited to, magnetic tapes, hard disks, CDs, DVDs, USB memory sticks, cloud storage, etc., will be secured utilizing the least privileges methodology.

    2. All service to HCPSS computers and servers will be performed onsite by authorized HCPSS personnel or authorized contractors. If a computer or server must be taken offsite for service, all hard drives, CDs, and DVDs will be removed prior to the equipment leaving the premises. If removal of any/all hard disks, CDs, or DVDs is not feasible, prior approval will be obtained in writing by the Superintendent/designee to remove the equipment.

    3. All HCPSS storage media including, but not limited to, hard disks, CDs, DVDs, USB memory sticks, etc., will be disposed of in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-88.

  6. Systems Development Life Cycle

    1. All HCPSS systems and applications will be developed or procured in compliance with all legal regulatory mandates.

    2. When feasible, all HCPSS systems and applications will employ the latest software versions and patch levels to ensure maximum functionality and security.

    3. All HCPSS application training and testing data will not include confidential or personally identifiable information (PII).

    4. All HCPSS application and HCPSS system source code will be managed in a controlled, auditable environment.

    5. Changes to HCPSS technology will be evaluated, approved, and documented in accordance with the Information Technology Change Management Guideline.

    6. HCPSS systems will be designated as either critical or non-critical.

    7. Disaster Recovery procedures will be maintained and tested for all critical HCPSS systems.

  7. System Security

    1. The HCPSS will employ technology security measures, including monitoring, to ensure the confidentiality, integrity, availability, and accountability of its technology and data.

    2. Open wireless networks will be configured to notify users of network monitoring capabilities and the provisions of HCPSS Policy 8080 Responsible Use of Technology, Digital Tools, and Social Media.

    3. All publicly accessible HCPSS systems will be located in a separate dedicated network segment configured to restrict access to internal trusted networks.

    4. Publicly accessible critical HCPSS systems will be monitored by an automated vulnerability assessment system at least weekly to confirm configuration and determine the effectiveness of implemented security controls.

    5. Critical HCPSS systems will maintain audit logs to track user activity and actions that are administratively prohibited. Audit logs will be reviewed at least weekly.

    6. Individuals will not attempt to circumvent, modify, or disable technology security measures implemented by the HCPSS.

    7. Wireless access points will be configured utilizing at least Wi-Fi Protected Access (WPA) encryption. Exceptions will be approved by the Superintendent/designee.

  8. Account Credential Assignment and Use

    1. Account Credential Assignment

      1. HCPSS employees will be assigned individual account credentials once employment with the HCPSS has been verified.

      2. Students will be assigned individual account credentials once enrollment in the HCPSS has been verified.

      3. Contractors, volunteers, interns, and others will be assigned individual account credentials upon approval of the Request for Computer User Account Form.

      4. Password length and complexity requirements will be established for each system in order to prevent unauthorized access to or modification of confidential data.

      5. Temporary account passwords will be unique to the individual recipient and will be changed by the individual upon next login.

      6. Account credentials are granted in accordance with an individual’s role and will be revoked when the individual’s role is fulfilled or terminated.

    2. Employee’s Individual Account Credential Assignment

      1. Passwords will not be the same as the account username.

      2. Passwords will not be shared with others.

      3. Passwords will be a minimum of eight characters consisting of mixed alphabetic and numeric characters.

      4. Passwords will be evaluated regularly against publicly available password compromise databases.

      5. Password changes may be required at various intervals, depending on the system.

      6. Password reuse will be prohibited by not allowing the last 10 passwords to be reused with a minimum of at least two days each.

      7. Employee accounts associated with a password will be restricted after six unsuccessful logon attempts.

      8. All employee accounts will be disabled after 60 days of inactivity unless prior approval is obtained from the Superintendent/designee.

      9. Employees may be required to use Multi-Factor Authentication for access to HCPSS systems.

      10. The HCPSS reserves the right to modify employee account credentials upon change in employment status, as directed by the Superintendent/designee.

    3. Student Account Credentials

      1. Passwords will not be the same as the account username.

      2. Passwords will not be shared with others.

      3. Passwords will be a minimum of six characters consisting of mixed alphabetic and numeric characters. Exceptions may be allowed based on demonstrated need.

      4. Password changes will be required at various intervals, depending on the system.

      5. Password reuse will be prohibited by not allowing the last 10 passwords to be reused with a minimum of at least two days each.

      6. The HCPSS reserves the right to disable student accounts.

    4. Contractor Account Credentials

      1. All contractor accounts must have an assigned HCPSS employee sponsor.

      2. Contractor accounts may include the contractor’s email address to facilitate communication.

    5. Shared Account Credentials (credentials used by more than a single individual)

      1. The HCPSS may create shared account credentials in support of specific tasks with the approval of the Superintendent/designee.

      2. Shared accounts will only be used for the specific tasks for which they were intended.

III. HCPSS Technology Equipment Accountability

  1. Physical inventory of Information HCPSS Technology equipment will be performed.

  2. Principals/supervisors will ensure that HCPSS Technology equipment inventory will be completed on an annual basis.

IV. Violation of Policy

  1. Any individual who suspects a violation of this policy or these implementation procedures will report the alleged violation to an appropriate administrator or supervisor for investigation.

  2. The administrator or supervisor will report the suspected violation to the Superintendent/designee for further investigation and potential disciplinary action.

  3. In cases that may be criminal in nature (threats, stalking, harassment, etc.) or that may pose a safety threat, an investigation will be conducted in consultation and cooperation with the Superintendent/designee.

  4. In cases of probable or potential harm to an individual, appropriate follow-through and communication with the individual in danger and others who are in a position to protect that individual from harm including, but not limited to law enforcement, if necessary, must be undertaken by the individual who discovers the probable or potential harm.

  5. Suspicious activity can be reported anonymously through the HCPSS main website - Reporting Fraud and Abuse. Reports can also be emailed directly to abuse@hcpss.org.

V. Definitions

Within the context of these implementation procedures, the following definitions apply:

  1. Cloud Computing – The on-demand availability of online resources, digital tools, data storage, computing power, and technologies over the Internet to offer faster innovation and flexible resources.

  2. Cloud Storage – Cloud computing model that stores data on the Internet through a provider who manages and operates data storage as a service which provides agility, global scale and durability, with “anytime, anywhere” data access.

  3. Multi-Factor Authentication – Authentication method that requires the user to provide two or more verification factors to gain access to a digital tool, online resource, or technology.

VI. Monitoring

Policy 3040 implementation procedures will be overseen by the Division of Administration.

VII. History

ADOPTED: March 11, 2010

REVIEWED: December 13, 2018

MODIFIED:

  • August 17, 2017

  • February 13, 2020

  • May 12, 2022

REVISED:

  • May 9, 2013

  • June 9, 2016

EFFECTIVE: May 12, 2022

Policy History Key

  • Adopted-Original date the Board took action to approve a policy
  • Reviewed-The date the status of a policy was assessed by the Superintendent’s Standing Policy Group
  • Modified-The date the Board took action to alter a policy that based on the recommendation of the Superintendent/designee did not require a comprehensive examination
  • Revised-The date the Board took action on a that policy based on the recommendation of the Superintendent/designee needed a comprehensive examination
  • Effective-The date a policy is implemented throughout the HCPSS, typically July 1 following Board action.