information technology policies
Post on 21-Dec-2021
1 Views
Preview:
TRANSCRIPT
INFORMATION TECHNOLOGY
SECURITY AND PROCEDURES MANUAL
FOR THE
FRANKLIN COUNTY SCHOOLS,
WINCHESTER, TENNESSEE
2010-2014
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 2
Contents
Introduction: Using Information Security ………………….…………………………………. 2 Supervision: ……………………………………………………………………………………. 2
CHAPTER 1 HARDWARE, PERIPHERALS, AND OTHER EQUIPMENT…………………………………………. 6
Purpose and Scope …………………………………………………. 6 New Equipment Installation ………………………………………. 7 Testing Systems and Equipment …….………………………….. 7 General Procedures ………………………………………………… 7 Standard Items ………………………………………………………. 7 Non-Standard Items ………………………………………………… 7 Payment ……………………………………………………………… 8 Technology Grant Coordination ………………………………….. 8 Cabling, UPS, Printers, & Modems ……………………………….. 8 Consumables …………………………………………………………. 9 Working Off Campus or Traveling ………………………………… 9 Using Secure Storage ……………………………………………….. 9 Documenting Hardware …………………………………………….. 10 Other Hardware Issues ……………………………………………… 10 Check Out Equipment ……………………………………………… . 10
CHAPTER 2 CONTROLLING ACCESS TO INFORMATION AND SYSTEMS ……………………………… . 11
Managing Access Control Standards …………………………….. 11 Storage Limits ………………………………………………………… 11
CHAPTER 3 PROCESSING INFORMATION AND DOCUMENTS ……………………………………………………. 12
Downloading Files and Information from the Internet …………… 12 Use of Email …………………………………………………………….. 12 Use of the Internet for Work Purposes …………………………….. 13 Web Sites ……………………………………………………………… 13 Telephone Conference Calls …………………………………………. 13 Videoconferencing ……………………………………………………… 14 Recording of Telephone Conversations ……………………………. 14 Misdirected Fax Information ………………………………………… 14 Ordering Items Over the Telephone …………………………………. 14 Data Management ……………………………………………………… 14
Backing Up Data …………………………………………………………. 15 Security of Personal Information …………………………………… 15
CHAPTER 4 SOFTWARE ACQUISITION AND ACCEPTANCE TESTING …………………. 16 Scope ………………………………………………………………………. 16 Responsibility for Compliance ………………………………………… 16 Identifying Software to Acquire ……………………………………….. 16
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 3
CHAPTER 4 (cont) Conducting Software Evaluations ……………………………………..16 Conducting Documentation Evaluations ……………………………..16 Software Evaluation Forms …………………………………………. 17 Documenting Corrective Actions …………………………………… 17 Ensuring Corrective Actions are Completed …………………….. 17 Software Acceptance Checklist …………………………………….. 17 Suggested Actions Prior to Software Approval ………………….. 18 Top Ten Questions to ask your Software Vendor ………………… 19
CHAPTER 5 PHYSICAL SECURITY OF NETWORK DEVICES ………………………….. . 20 CHAPTER 6 WIRELESS SECURITY …………………………………………………………... 21 CHAPTER 7 REMOTE ACCESS AND AGREEMENT ……………………………………….. 22 Purpose …………………………………………………………………... 22 Scope …………………………………………………………………… .. 22 Supported Technology ………………………………………………… 22 Eligible Users ……………………………………………………………. 23 Appropriate Use …………………………………………………………. 23 Non-Compliance ………………………………………………………….25 Employee Declaration ……………………………………………………25 CHAPTER 8 PRINTERS ……………………………………………………………………………26 Purpose …………………………………………………………………….26 Scope ……………………………………………………………………….26 Supported Printers ……………………………………………………….26 General ……………………………………………………………………..26 Employee Declaration ……………………………………………………28 CHAPTER 9 PERSONAL DIGITAL ASSISTANTS (PDA) ……………………………………..29 CHAPTER 10 PASSWORDS ………………………………………………………………………. 30 Purpose ……………………………………………………………………..30 Scope ……………………………………………………………………..…30 Expiration ………………………………………………………………...…30 Password Construction Guidelines ……………………………………30 Password Protection Guidelines ……………………………………….31 Enforcement ………………………………………………………………..31 CHAPTER 11 NETWORK SECURITY FOR PORTABLE COMPUTERS …………………...…32 Introduction ……………………………………………………………...…32 Protecting the Laptop …………………………………………………….32 Laptop User’s Responsibilities ………………………………………….32 Security Audits ……………………………………………………………..32 Declaration of Understanding ……………………………………………33 Declaration of Certification ………………………………………………33 CHAPTER 12 HUMAN RESOURCES CONSIDERATIONS …………………………………….. 34
Compliance ………………………………………………………………… 34
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 4
CHAPTER 12 (cont) Job Descriptions ………………………………………………………….. 34 Third Party Inclusion ………………………………………………………34 Security of Keys ………………………………………………………….. 34 Intellectual Property Rights …………………………………………… .34 Protecting Confidentiality ……………………………………………… .34 Access to System-Owned Information ………………………………. .34 References …………………………………………………………………. 34 Staff Disaffection …………………………………………………………..35 Staff Leaving Employment ……………………………………………….35 CHAPTER 13 STAFF AWARENESS & TRANING ………………………………………36
Providing Updates to Staff ……………………………………………….36 Security Training for New Systems …………………………………….36 Information Security Training for IT Staff ……………………………..36
CHAPTER 14 PREMISES SECURITY …………………………………………………….35
Site Selection ……………………………………………………………….35 Challenging Strangers …………………………………………………….35 Data Storage ……………………………………………………………… ..35 Security of Keys ……………………………………………………………35
CHAPTER 15 DETECTING & RESPONDING TO INFORMATION SECURITY INCIDENTS ………………………………..36 Reporting ……………………………………………………………………36 Responding …………………………………………………………………36 System Weaknesses ………………………………………………………36 Responsibility ………………………………………………………………36
CHAPTER 16 OPERATIONS CONTINUITY MANAGEMENT ………………………..37 Planning ……………………………………………………………………..37 Risk Assessment …………………………………………………………..37 Testing the OCP/DRP ……………………………………………………. .37 Awareness ………………………………………………………………… .37 Maintaining and Updating the OCP/DRP ………………………………37 CHAPTER 17 REQUESTS FOR TECHNICAL SUPPORT ……………………………38
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 5
Introduction: Using Information Security
The purpose of this manual is to ensure system-wide security of Franklin County Schools’ information
technology network. It augments security guidance previously published in the approved District
Technology Three-Year Plan and Franklin County Board of Education (FCBOE) policies relating to use
of the internet and electronic mail, available on the Franklin County Schools’ website under FCBOE
Online Policies.
While the procedures herein lay a solid foundation for the development and implementation of secure
practices for Franklin County Schools, the procedures themselves are not instructional or overly
descriptive. Compliance will require an understanding by faculty and staff of not only the individual
procedures, but also of the circumstances in which such compliance is expected in day-to-day activities.
Knowing the procedures is only one-half of the equation – everyone needs to know how they should
comply, from a procedural perspective.
Supervision
Teachers and Supervisors are reminded that, in accordance with the District Technology Plan, “Teachers
are required to monitor online activities of students.” This will greatly reduce incidents of hacking and
other inappropriate behavior by students or staff which can lead to reduced effectiveness of the system-
wide network.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 6
CHAPTER 1 HARDWARE, PERIPHERALS, AND OTHER EQUIPMENT
Purpose and Scope This chapter covers all information technology hardware, software, and computer-related components
purchased with Franklin County Schools funds. Specifically, the following technology resources are within
the scope:
Desktops, laptops, personal digital assistants, cell phones, iPads, and servers.
Software running on the devices mentioned above (see Chapter 4).
Peripheral equipment, such as printers and scanners.
Cables or connectivity-related devices.
Audio-visual equipment, such as projectors and document cameras.
All hardware, software, or components purchased with school funds are the property of FCBOE. This also
includes all items purchased using a personal credit card for which the employee is later reimbursed. The
Technology Department is charged with performing the maintenance, repair, and replacement for school
building technology equipment; however, the department is not funded for the purchase of all replacement
parts or other items for all the schools.
All purchases of new systems hardware or new components for existing hardware must take into
consideration Information Security and FCBOE policies, as well as technical standards. Such requests to
purchase must be based upon user requirements and take into account long-term organizational needs
because of the expense involved in making subsequent changes. Information Security issues to be
considered when planning for purchases or accepting donated equipment include the following:
The system must have adequate capacity or else it may not be able to process your data.
Data must be adequately protected; otherwise, there is a risk of loss or accidental/malicious
damage.
The system must be sufficiently resilient to avoid unplanned down-time, which can have an
immediate negative impact upon the school.
It is necessary to understand, in detail, the specific functional performance and capacity requirements as
part of the hardware purchasing process. For this reason, departments must consult with the Information
Technology Department before submitting requisitions for new hardware. This is because, without
adequate analysis, the school board may:
Purchase inappropriate hardware for the desired task.
Purchase a system that does not comply with the school’s technical architecture or technology
strategy.
Fail to achieve the best value when such things as price, performance, reliability, capacity, and
support issues are considered.
Supply confidential information to a vendor without the need-to-know.
A number of comparable bids may be necessary to make an informed comparison and purchase
appropriately because without these there is the risk of a sub-optimum quote.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 7
New Equipment Installation Installation of new equipment must be properly considered and planned to avoid unnecessary disruption
and to ensure that Information Security issues are adequately covered. Planning considerations for new
equipment installation include the following:
The equipment must be located in a suitable environment; otherwise, it may fail.
Any disclosure of network environment, security features, locations, configurations, etc., during
installation exposes potential vulnerabilities which could be exploited.
Efforts will be made to avoid disruption to activities such as classes, tests, exams, etc., and to
avoid disruption to other operational systems.
Testing systems and equipment
All equipment must be fully and comprehensively tested and formally accepted by the IT Department
before being transferred to the live environment. Hardware should be tested when new to verify it is
working correctly, and then further tests applied periodically to ensure continued effective functioning.
General Procedures If an employee or department wishes to purchase hardware, software, or computer-related
components, they should review the Standard Items list first. If a desired item does not appear
on the Standard Items list, then see the procedure for Non-Standard Items below.
All purchase requests for hardware, software, or computer-related components must first be
approved by a Principal or Supervisor before submission to the IT department. In all cases,
the request for purchase must be justified.
All requests must be submitted to the IT department for final purchase approval. If the
requested item is already in inventory, then it will be made available to the requestor within
two business days, assuming justification of need is sufficient. All approved requests for items
not in inventory will be forwarded to Franklin County Finance Purchasing for processing.
Non-standard items found connected to the network may be removed from the network at the
IT department’s discretion.
Standard Items The Standard Items list contains pre-approved vendors and products upon which FCBOE has standardized.
Standard items have been proven to be both supportable by the IT department as well as cost-effective.
All items on the Standard Items list will be reviewed for cost effectiveness, reliability, acquisition time, and
quality of vendor support at least every six months. The Standard Items list is maintained by the IT
Department and is available upon request.
Non-Standard Items There are some instances in which the purchase of non-standard items (i.e. items not appearing on the
Standard Items list) can be purchased.
In the event of an emergency where purchasing items through regular channels and waiting
for delivery will take too long.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 8
In the event that an employee or department needs specialized software or some other
component that is not on the standard items list, but is required to perform work or complete a
project.
Employees or departments requesting non-emergency specialized software or components must submit a
plan detailing how this item will be supported before approval will be granted. Support options include
assigning a staff member to maintain and/or support the component, arranging for external vendor support,
or arranging for a service level agreement with the IT department.
Payment Because of the expense involved, the Technology Department will purchase replacement lamps for LCD
projectors where needed. All other purchases for consumables such as ink, toner, and cartridges, as well as
replacement parts required for repair or maintenance of technology equipment must be made by the schools
within their budget allowances. Exceptions in unusual circumstances are at the discretion of the Chief
Technology Officer.
The following items will be paid for out of the IT department’s budget:
Replacement lamps for LCD (or data) projectors.
Servers and the parts associated with the upkeep of this equipment, including UPS.
Switches, cables, raceway, and other items associated with networking the computers.
The following items will not be paid for by the IT department, and therefore must be paid for out of
individual departments’ operating budgets:
All other replacement parts or consumables (ink, cartridges, toner, bulbs, etc.)
Surge protection and Uninterruptable Power Supply (UPS) for non-server hardware.
Out of warranty parts or replacements.
Technology Grant Coordination Notice of intent to apply for technology-related grants to fund purchases of hardware, software, or other
programs should be sent in advance to the IT Department in order to coordinate the endeavor system-wide.
The purpose is not for the IT Department to serve as the grant writer or provide final approval for grants,
but to become the clearinghouse for the many technology-related grants for which it is possible to apply
and to keep key players informed of potential funding resources. This will eliminate redundancy in grant
submissions and reduce potential conflict among schools/programs within the system. The FCBOE IT
Department also stands ready to assist with grant-writing endeavors if required. The Point of Contact for
grant matters at the IT Department is Jody Starnes, Administrative Assistant to the CTO.
Cabling, UPS, Fax Machines, Printers and Modems
An Uninterruptible Power Supply (UPS) is to be installed on all critical computer equipment to ensure the
continuity of services during power outages. The UPS differs from the surge protector in that it not only
provides surge protection during voltage spikes, but also uses a battery or batteries to provide continuous
power if electricity is lost for a period of time. This is a critical component which enables continuity of
function in the event of power failure. This is critical because if the main power fails for any reason, your
system will crash and data files may be corrupted. A malfunctioning UPS may cause your systems to crash
in an uncontrolled manner following a main electrical failure. Such crashes can often corrupt data files.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 9
Sensitive or confidential information may only be faxed where more secure methods of transmission are
not feasible. Both the owner of the information and the intended recipient must authorize the transmission
in advance. The information security risks associated with use of fax machines stems from the relative
insecurity of the medium, which may lead to confidential data being disclosed to unauthorized persons, or
fraudulent incoming messages resulting in action being taken that is detrimental to the organization.
Printers output information on a continual basis in many offices, and the content of that information can
vary from inconsequential intra-office notices to highly confidential information containing personal
identification and information. If sensitive information must be sent to a network printer, ensure the
presence of an authorized person to safeguard confidentiality during and after printing. This will ensure
that confidential information is not revealed to unauthorized persons and printed stationery is not used
fraudulently.
Network cabling remains a vulnerable target as it can be exposed and unprotected. Malicious damage to
networks can cause disruption to processing and communications. Illegal hacking into networks may
compromise data and security measures, such as user names and passwords. Accidental damage to cabling
can threaten data processing. Network cabling must be installed and maintained by IT Department
personnel to ensure the integrity of both the cabling and the wall-mounted sockets. Any unused network
wall sockets should be sealed off and their status formally noted.
Consumables
Printer ink, printer toner, paper, forms, and stationery must be purchased by schools for their staff’s use and
usage monitored to discourage theft and improper use. Pilfering of consumables results in increased
organizational expense and confidential data may be revealed to unauthorized persons from discarded
consumables, e.g. discarded draft printer output. Shredders should be used to destroy documents
containing confidential or sensitive information, or any form of personal information.
Working Off Premises or Traveling with Computer Equipment
Supervisors must authorize the issue of mobile devices. Laptops, portables, iPads, Smartphones, or
organizers that connect to and store data are included. Collectively, they are referred to as mobile devices.
Usage is restricted to school business and users must be aware of and accept the terms and conditions of
use, especially the responsibility for the security of the equipment and information held on such devices.
Persons issued mobile devices who intend to travel for school business purposes must be made aware of the
information security risks relating to portable computing equipment and implement the appropriate
safeguards to minimize risk. Also, any movement of hardware between schools is the authority of the IT
Department. Re-location of serial numbered items requires that Budget Managers document the re-location
each time the items are moved, for inventory purposes and security management.
Using Secure Storage
Sensitive or valuable material and equipment must be stored securely and guarded against theft or
vandalism. Valuable material is identified by the Franklin County School System Bar Code tag placed on
the item at the time of delivery to the user. If the material or equipment has a tag, it is of sufficient value to
warrant secure storage and safeguarding. Information of a personal or valuable nature may be classified by
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 10
the school system as requiring secure storage. Lockable storage filing cabinets or cases must be used to
store these documents with valuable school information contained thereon.
Documenting Hardware
Hardware documentation must be kept up-to-date and readily available to the staff who are authorized to
support or maintain the systems. “Documentation” refers to operator manuals and technical documentation
supplied by the vendors or supplier. A register or data base of all computer equipment used in the schools
is maintained by the use of the FCBOE Fixed Asset Program.
Other Hardware Issues
Equipment owned by Franklin County Schools may only be disposed of by authorized personnel who have
ensured that the relevant security risks have been mitigated. All users of workstations, PCs, laptops, are to
ensure that their screens are blank when not being used, i.e., log off the computer when finished working
and when departing the classroom or office. This will prevent exposure of confidential material that can be
read from the screen, especially when the workstation is logged on and the user is away from the desk.
Sensitive or confidential information must not be recorded on answering machines or left in voicemail.
Leaving such information on a recording device is a breach of confidentiality. Only suitable and approved
cleaning materials are to be used on equipment owned by Franklin County Schools. Deliberate or
accidental damage to school property must be reported as soon as discovered.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 11
CHAPTER 2 CONTROLLING ACCESS TO INFORMATION AND SYSTEMS _______________________________________________________
Managing Access Control Standards
Access control standards for information systems should incorporate the need to balance restrictions to
prevent unauthorized access against the need to provide unhindered access to meet the educational needs of
the schools. Access to school-owned systems must be authorized by the FCBOE for the appropriate users,
and password protection afforded the user having access. Logon screens or banners that supply
information about the system prior to successful logon must not be used and should be removed as they can
assist unauthorized users to gain access.
Equipment is always to be safeguarded appropriately, especially when left unattended. Faculty and
students must log off classroom computers upon completion of use to avoid subsequent use by
unauthorized persons. Computer equipment that is logged on and left unattended can present a tempting
target to unauthorized users on the premises.
Access to the resources on the network must be strictly controlled to prevent unauthorized use. Access to
all computing and information systems and peripherals shall be restricted unless explicitly authorized.
Unauthorized access to programs or applications could lead to fraudulent transactions or false entries,
damage, corruption and inappropriate use of student or school data, hacking, or introduction of viruses.
Access to Operating System commands is restricted to persons performing systems administration under
the control of the IT Department. No one else is authorized access to Operating Systems.
Password use and management is a primary means to control access to systems. Passwords must not be
shared with any other person for any reason.
Access to Information & Documents must be carefully controlled, ensuring that only authorized personnel
have access to sensitive information.
Remote Access to Franklin County Schools systems increases the threat of unauthorized access, and
therefore must be controlled with identification, authentication, and encryption where available. Remote
users who need to communicate directly with the school’s systems to receive/send data and updates will
often be connecting through public networks. This increases the threat of unauthorized access.
Accordingly, remote access may be denied to users if compromise of school data is expected. Please see
Remote Access below.
Devices such as hard drives should not be shared, as this creates a vulnerability and ease of access for
hackers.
Storage Limits Due to limitations in server space and to keep from overloading a network of the size used by the Franklin
County Schools, teacher and staff users are limited to 500MB of storage. Users exceeding this limit will be
asked to remove documents and/or files to comply with the maximum limit of 500MB of storage. Use of
USB flash drives, cloud applications, and/or CD-ROMs for storage is encouraged.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 12
CHAPTER 3 PROCESSING INFORMATION AND DOCUMENTS _______________________________________________________
Appropriate data and information must be made available to authorized persons as and when required. For
all other persons, access to such data is prohibited. Making multiple copies of an original file is
discouraged unless specifically required by Franklin County Schools or FCBOE polices.
Third party access to school information not covered under any Freedom of Information Act is not
permitted unless the risk is considered to be negligible. Allowing persons external to the school system
access to systems and data can not only compromise the confidentiality of the information, but can result in
loss of data validity and integrity.
Downloading Files and Information from the Internet
Great care must be taken when downloading files and information from the internet to safeguard against
malicious code as well as inappropriate material. These pose significant Information Security risks such as
viruses or other malicious codes which infect the entire system. In addition, downloaded software often
requires licensing in order to avoid legal action from the supplier.
Use of eMail
Electronic mail should only be used for school business purposes. Only email accounts created for faculty
and staff by the internet service provider and provided by the FCBOE should be used on the Franklin
County Schools network. Students are not provided with FCBOE email accounts, either individually or
generically. The attachment of data files to messages is only recommended following scanning of the files
for viruses or other malicious codes, not to exceed 5MB. Attachments containing personal or confidential
information must be encrypted (or password-protected).
Email is sent via public lines, which means it is like a post card – anyone who picks it up can read it.
Confidential files or information sent in email or as an attachment is a breach of that confidentiality.
Relying upon email from a legal perspective is not advised as simple email messages are not authenticated.
Personal email sent from one individual to another using the school’s systems may be misconstrued as
coming from the organization itself and may result in Information Security issues.
Incoming email must be treated with the utmost care because of its inherent information security risks.
Opening email with file attachments should not be done until the attachments have been scanned for
viruses or other malicious code.
Data retention periods for email should be established to meet business requirements and adhered to by
staff. Retention of email can consume significant storage capacity on systems, especially where files have
been received and stored. Email “Inboxes” must be cleaned out regularly to remove items from the
network. Remember that Inbox items reside on the network and may be opened and read by any system
administrator or other persons with access to the email system.
Unsolicited email must be treated with caution and never responded to. If the sender is a hacker, this
validates the email address and verifies that a person opened the mail, thus opening the door to the spread
of potential viruses or a denial of service attack.
Users must ensure that information being forwarded in email (especially attachments) is correctly
addressed and is only being sent to appropriate persons. When email is forwarded, the individual is adding
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 13
his/her name and details to it. Ensure you are comfortable with the information contained in the original
because any security risk associated with the original mail to you will also apply to the forwarded email.
Users must guard against unauthorized “phishing” for personal information, since reputable firms do not
request this sensitive information via email.
The Franklin County Board of Education (FCBOE) has published a “Use of Electronic Mail” policy (Board
Policy #1.805). Please read and adhere to this policy, noting particularly the legal ramifications to use of
the internet. This policy is available on the Franklin County Schools website under FCBOE Online
Policies.
Use of the Internet for Work Purposes
To reduce the threat of Information Security incidents, administrators are responsible for controlling user
access to the Internet, as well as for ensuring that users are aware of threats and trained in safeguarding
their systems from threats. Inappropriate access and downloads are both a misuse of school system
resources and, in some cases, are illegal. Unauthorized use of the Internet wastes time and resources.
Staff authorized to make payment by credit card (purchasing card or P-card) for items ordered on the
Internet are responsible for its safe and appropriate use. Confidential organizational credit card details
(PINs and account details) may be compromised during transmission. Passing credit card details to
unknown third parties over the Internet compromises security. Lost or stolen credit card numbers are often
posted and used illegally over the Internet.
Web browsers should be used in a secure manner by making use of the built-in security features of the
software concerned. Supervisors and Principals must ensure that staff is made aware of the appropriate
settings for the software concerned. Web browser software and email software are new paths through the
school system’s network’s security shield that could be exploited by an intruder. The security issues are in
the areas of “Cookies,” Java applets, JavaScript, ActiveX controls, and viruses. The use of a firewall may
be inadequate to protect from attack by malicious code activated by the web browser. Confidential data
may be stored and accessed through a cookie saved on your PC and accessed by a web site while the user is
browsing, likely without their knowledge. Staff may not be aware of the necessary settings and related
policy for ensuring security when using web browsers.
Information obtained from Internet sources must be verified before used for school purposes. If
information obtained from the Internet is not verified, decisions made depending upon that information
may be incorrect. There is a substantial amount of misinformation on the Internet.
Web Sites
Web sites are important marketing and information resources for schools, and safety from unauthorized
intrusions is a top priority. Only qualified, authorized persons may amend official school-related web sites
with all changes being documented and reviewed. Disabling web sites for maintenance and updating
affords the greatest opportunity for unauthorized users to gain access and steal or modify data. The
Franklin County Schools webmaster will maintain the system website and recommend development
controls to participating system schools.
Computer files received from unknown senders should be deleted without being opened to avoid malicious
software. Always verify the source of files received before attempting to open on school-owned
computers.
Telephone Conference Calls
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 14
Staff must become aware of the Information Security issues involved in telephone conference calls. Using
the telephone to provide discussions among three or more persons poses a threat similar to those posed by
conventional person-to-person calls. The identity of the other persons involved in a conference call must
be authenticated in order to avoid a breach in confidentiality.
Videoconferencing
Staff must be aware of the Information Security issues involved in videoconference calls. An overheard
meeting can result in leaked information and, where such information is sensitive, can be very damaging.
The identity of other persons involved in a videoconference call must be authenticated in order to avoid a
breach in confidentiality.
Recording of Telephone Conversations
All parties should be notified in advance if telephone conversations are to be recorded. Failure to observe
legislation regarding recording of telephone calls will cause the Franklin County Schools to be liable for
prosecution.
Misdirected Fax Information
Any fax received in error must be returned to the sender. Its contents must not be disclosed to other parties
without the sender’s permission. Information received in a misdirected fax from internal or external
sources must be treated as highly confidential and should not be divulged to others. Be on your guard to
possible "probing." Faxes which "look official" can lead to the disclosure of confidential information.
Responding to unsolicited faxes may encourage more faxes from the same source.
Ordering Items Over the Telephone
Staff authorized to make payment for goods ordered over the telephone by credit card are responsible for
the safe and appropriate use of the information. Staff must know exactly to whom they are talking and
whether they are authorized to handle the information.
The identity of recipients of sensitive or confidential information over the telephone must be verified. It is
not uncommon for instructions or information to be given over the telephone, but this raises the issue of
verifying the identity of the caller. Be aware of social engineering, where the aim is to trick people into
revealing passwords or other information that compromises a target system's security.
The identity of persons requesting confidential or sensitive personal information over the telephone must be
verified, and they must be authorized to receive it. Callers may claim to be someone who is entitled to
access confidential material. Be aware of social engineering.
Data Management
Sensitive or confidential Data/Information may only be transferred across networks or copied to other
media when the confidentiality and integrity of the data can be reasonably assured, such as by using
encryption techniques. Incorrect data released to outside parties can lead to a loss of confidence in the
organization and/or its services.
Any illegal tampering or amendment of school data while in transit suggests a weakness that is being
exploited by hackers. Where security measures have not been adequately employed, sensitive information
may be accessed by unauthorized persons and confidential data may be distributed to
inappropriate/unauthorized persons.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 15
The recipient of your data may have adopted information security standards that are incompatible with this
institution. This constitutes a weak link in your security which could be exploited. The inappropriate
and/or illegal release of information may result in legal action and prosecution.
The storage of information and data is a daily function for all departments that requires careful
management to ensure that information security issues are dealt with adequately. Day-to-day storage must
ensure that current data is readily available to authorized users and that archives are both created and
accessible in case of need.
Data and information files must be saved and stored securely in order to avoid disruptions in departmental
activity. Take care not to delete important information, on purpose or inadvertently, so that information is
available.
Backing Up Data
Data stored on computers within the FCBOE network must be secured from loss or inappropriate use by
regular copying and secure storage to prevent accidental or intentional loss or damage. This process
generally falls into two categories: Back up of data on individual desktop computers and back up of data
on network servers.
Individuals are advised to back up their important data on desktop computers by copying all files to a
disk, flash drive, or other portable device at least once per week. This storage device should be kept at a
location other than the office or building of the individual. Further, all unnecessary or extraneous data
stored on individual computers must be deleted at regular intervals in order to ensure maximum storage
capacity for important school or student information. Information on portable devices should be
encrypted and physical control of the devices maintained by the user.
The security of data stored on network servers cannot be over-emphasized. The protection and recovery
of this information in case of equipment failure or unavoidable accidents or catastrophic events is vital to
the continued operation of the Franklin County Schools; therefore, individuals tasked with back up of
server data must adhere to the plan published in this policy.
Server back up must be performed on a regular interval. Back ups conducted on Monday through
Thursday of each week should be Snapshot back ups, or backing up of all new data created each day. On
every 10th
business day, a Full back up will be performed (complete back up of all old and new data
files). This method will ensure the best chance for adequate recovery of data in the event of loss.
Security of Personal Information
Social Security Numbers, names, and addresses (both electronic and USPS), and other bits of personal
information must not be accessible to unauthorized persons. This type of information must be
safeguarded from unauthorized persons in offices, on the web, around copiers and fax machines. Use
shredders to destroy paper records containing this information when no longer needed.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 16
CHAPTER 4 SOFTWARE ACQUISITION AND ACCEPTANCE TESTING
This section outlines the requirements for the acquisition and acceptance testing of software. This
document includes planning for and conducting evaluations of: (i) the software and, (ii) all necessary
documentation and related activities. Planning for and conducting the follow-up activities necessary to
assure timely and effective resolution of problems will also be outlined.
Scope This applies to all software and support systems acquired by Franklin County Schools, as well as any
software and support systems acquired, or developed by, an external corporate entity that subsequently
contracts with Franklin County Schools.
Responsibility for Compliance The School Supervisors, in conjunction with the Chief Technology Officer, are to ensure compliance with
this software acquisition and acceptance testing procedure, and will be provided with all resources,
responsibility, authority, and organizational freedom to permit objective evaluations. They will also be
empowered to initiate and verify corrective measures that are deemed essential.
Identifying Software to Acquire Employees may send informal recommendations to School Supervisors if they identify software that fulfills
a departmental or school need. The School Supervisor is free to decline requests for the suggested software
for implementation if:
1. The software does not conform to the specifications listed herein.
2. A substantial number of software products have been suggested.
3. The software does not fulfill the needs of the department or the organization.
Conducting Software Evaluations Software shall be evaluated by Supervisors and Tech Support personnel in compliance with the FCBOE
polices and needs.
Conducting Documentation Evaluations The following set of documentation should be evaluated before any software is acquired.
The software development plan (if acquiring custom developed software).
The Supervisors and Tech Support personnel will evaluate the software development plan
to be used for the project. The software developer must assure that:
o No other software plans exist for the project that have not been documented.
o The software development plans presented and evaluated comply with all
stated policies and requirements.
o The software will function properly without infrastructure changes to the
FCBOE network.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 17
Other software documentation (operating, user manuals and other documentation).
The Supervisors and Tech Support personnel will evaluate all other software
documentation not identified in the preceding paragraph and ensure that:
o Each document adheres to the agreed format.
o Each document pertains to its stated software component.
Software Evaluation Letter Software Evaluation Letters for each software acquisition evaluation must contain, at a minimum, the
following items:
Evaluation date.
List of participants.
Evaluation criteria used (e.g. performance, scalability, security, etc.)
Evaluation results, including problems detected, as well as references to the software problem, as
applicable.
Recommended corrective action.
Documenting Corrective Actions All problems identified during acquisition evaluation and acceptance testing must be documented. These
problems are those that trigger non-conformance with any specified requirements. This documentation is to
serve as a basis for the software developer to take corrective actions.
Ensuring Corrective Actions are Completed When deviances from the specified requirements are found, either during software acquisition or software
acceptance testing, the developer must do the following upon receiving the corrective actions report:
Take action to correct the defect, as well as the cause of the defect.
Perform regression testing to ensure that no new defects are injected into the software.
Ensure timely and positive corrective action is taken through proper management of the corrective
process by doing the following:
o Any additional problems detected in processes and in software that are under internal
or their control are promptly reported and added to the corrective actions report.
o Each error is adequately classified and reported.
o Corrective actions are evaluated to: verify that problems have been resolved; all
changes have been implemented on the appropriate processes and products; and
determine whether additional problems have been introduced.
Software Acceptance Checklist The software acceptance checklist should contain, at a minimum, the following information:
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 18
The contact information for the employee(s)/officer/position listed in the Responsibility
for Policy Compliance section.
The developer’s or software manufacturer’s contact information.
The software support information.
Product information including:
o Product number.
o Type of software (e.g. Web-based, PC).
Type of user documentation included with the software e.g. user guide, online manual, an
electronic help guide, etc.
System requirements, including:
o Minimum/recommended RAM.
o Hard drive space.
o Additional software required e.g. software libraries, databases, etc.
o Software keys and licenses.
Beta testing results using the Software Evaluation Form.
Suggested Actions Prior to Software Approval Submission
Prior to submitting new software for approval, interested teachers or other persons in contact with software
vendors/textbook companies should consider the below questions: SEE NEXT PAGE
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 19
TOP TEN QUESTIONS TO ASK YOUR SOFTWARE VENDOR
1. What are the Computer User specs? i.e., What operating system is/are required? How
much memory is required? How much hard drive space is required? Any other
requirements?
2. What are the server specs (for Enterprise/Network applications)? i.e., Operating system
(2002, 2008?) Memory required? Hard drive space? Any other requirements?
3. What versions are available?
a. Internet?
b. CD on client?
c. Enterprise (network)?
4. Is the disk required to be loaded each time software is used?
5. Or, does software run from hard drive? Or both 4 & 5?
6. Is Tech Support available? Is there an 800 number? 24/7? For how long following
purchase?
7. Is there a software warranty? What are the recurring costs from year-to-year?
8. Will it work in a wireless environment?
9. How many components or disks does it take to load?
10. What other schools are using this software and who can we talk to there?
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 20
CHAPTER 5 PHYSICAL SECURITY OF NETWORK DEVICES
Servers, routers, switches, and hubs are located throughout various buildings in the school district. Doors
to these facilities must be secured and adequate ventilation must be available to prevent overheating of
components. Under no circumstances should students be allowed access to servers, routers, switches, or
hubs. In addition, data closets should not be used as storage areas for other departments or for
maintenance services.
Classroom and Lab computers must be secured when not in use. A “Log Off” policy is in effect
throughout the Franklin County Schools district. Whenever teachers or supervisors leave a computer
classroom, office, or lab unoccupied, users must be logged off the computers in order to prevent
unauthorized use by students or staff. It is also preferable to lock the room to further ensure limited
access to the computers not in use and prevent unsupervised usage.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 21
CHAPTER 6 WIRELESS SECURITY
The IT Department must be aware of all wireless locations and use of wireless capabilities in fixed labs
and other locations system-wide. Requests for the installation of wireless routers, hubs, or access points at
schools must be made in advance to the IT Department.
Security concerns are part of the potential drawbacks to wireless technology. Although a number of
security measures were built into the 802.xx standards, it is almost universally accepted that wireless
networks are considerably less secure and slower than wired ones.
A number of vulnerabilities can allow hackers to gain access to a school's wireless network. While the
goal of such "whacking" is most often to gain free Internet access, the same security holes can potentially
be used to access confidential student information, alter records, or inflict malicious damage of other
sorts on school LANs. Wireless access points generally have a range of 200 feet more or less, which
includes areas outside the building within that range.
Wireless Service Set Identifications (SSIDs) have been established within the FCBOE Wireless VLAN
for access to the wireless network for various services. Whether Public or Private, Teacher or Guest,
users must adhere to the wireless security features built-in to the SSIDs. All of the wireless devices on a
WLAN must employ the same SSID in order to communicate with each other. Authentication using
username and password or a special passcode is required for access to FCBOE SSIDs.
It is important to understand that increased security generally involves tradeoffs - in terms of cost, speed
and resource time needed to make upgrades, change passwords and generally manage the security
systems so that they work efficiently.
It is strongly recommended that wireless encryption be used on all access points.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 22
CHAPTER 7 REMOTE ACCESS AND AGREEMENT
Purpose
The purpose of this section is to define standards, procedures, and restrictions for connecting to FCBOE’s
internal network(s) from external hosts via remote access technology, and/or for utilizing the Internet for
business purposes via third-party wireless Internet service providers (a.k.a. “hotspots”). FCBOE’s resources
(i.e. student data, computer systems, networks, databases, etc.) must be protected from unauthorized use
and/or malicious attack that could result in loss of information, damage to critical applications, loss of
revenue, and damage to our public image. Therefore, all remote access and mobile privileges for FCBOE
employees to enterprise resources – and for wireless Internet access via hotspots – must employ only
board-approved methods.
Scope This chapter applies to all FCBOE employees, including full-time staff, part-time staff, contractors,
freelancers, and other agents who utilize school- or personally-owned computers to remotely access the
organization’s data and networks. Employment at FCBOE does not automatically guarantee the granting of
remote access privileges.
Any and all work performed for Franklin County Schools on said computers by any and all employees,
through a remote access connection of any kind, is covered by this procedure. Work can include (but is not
limited to) e-mail correspondence, Web browsing, utilizing intranet resources, and any other company
application used over the Internet. Remote access is defined as any connection to FCBOE’s network and/or
other applications from off-site locations, such as the employee’s home, a hotel room, airports, cafés,
satellite office, wireless devices, etc.
Supported Technology
All remote access will be centrally managed by FCBOE’s IT department through the ISP and will utilize
encryption and strong authentication measures. Remote access connections covered by this section include
(but are not limited to) Internet dial-up modems, frame relay, ISDN, DSL, VPN, SSH, cable modems,
proprietary remote access/control software, etc. The following table outlines FCBOE’s minimum system
requirements for a computer, workstation, or related device to comply with FCBOE’s systems. Those who
do not meet these requirements must upgrade their machines, or face being denied remote access privileges.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 23
PC and PC-Compliant Computers
Portables/Laptops iPads, Smartphones
Operating System
Windows XP Pro
Standard Edition or
Higher
Windows XP Pro
Standard Edition or
Higher
iOS 5 or higher: 3G
capable
CPU Intel Core 2 Pentium M 200Mhz Intel
RAM 1 GB 1 GB 512 GB
Disk Space
80GB 80GB N/A
Additional Drives
48X32 CDRW/DVD
Best Video and Sound
Cards available
24XCDRW/DVD
Best Video & Sound
Cards available
N/A
Eligible Users All persons/companies requiring the use of remote access for business purposes must go through an
application process that clearly outlines why the access is required and what level of service is needed
should his/her application be accepted. Applications must be approved and signed by the manager,
supervisor, or department head before submission to the IT department. Privately owned connections
(under ‘Supported Technology’) may not be used for business purposes. In all cases, the IT department
must approve the connection as being secure and protected. However, the IT department cannot and will
not technically support a third-party ISP connection or hotspot wireless ISP connection. All expense for
reimbursement of cost (if any) incurred due to remote access for business purposes (i.e. Internet
connectivity charges) must be submitted to the appropriate unit or department head. Financial
reimbursement for remote access is not the responsibility of the IT department.
Appropriate Use It is the responsibility of any entity with remote access privileges to ensure that their remote access
connection remains as secure as his or her network access within the office. It is imperative that any remote
access connection used to conduct FCBOE business be utilized appropriately, responsibly, and ethically.
Therefore, the following rules must be observed:
Vendors will use secure remote access procedures. This will be enforced through public/private
key encrypted strong passwords in accordance with FCBOE’s password policy. They must agree
to never disclose their passwords to anyone, particularly to family members if business work is
conducted from home.
All remote computer equipment and devices used for business interests, whether personal- or
company-owned, must display reasonable physical security measures. Computers will have
installed whatever antivirus software deemed necessary by FCBOE’s IT department.
Remote users using public hotspots for wireless Internet access must employ for their devices a
FCBOE-approved personal firewall, VPN, and any other security measure deemed necessary by
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 24
the IT department. VPNs supplied by the wireless service provider should also be used, but only in
conjunction with FCBOE’s additional security measures.
Hotspot and remote users must disconnect wireless cards when not in use in order to mitigate
attacks by hackers, wardrivers, and eavesdroppers.
Users must apply new passwords every business/personal trip where company data is being
utilized over a hotspot wireless service, or when a company device is used for personal Web
browsing.
Any remote connection (i.e. hotspot, ISDN, frame relay, etc.) that is configured to access any
FCBOE resources must adhere to the authentication requirements of FCBOE’s IT department. In
addition, all hardware security configurations (personal or company-owned) must be approved by
FCBOE’s IT department.
Contractors and temporary staff will make no modifications of any kind to the remote access
connection without the express approval of FCBOE’s IT department. This includes, but is not
limited to, split tunneling, dual homing, non-standard hardware or security configurations, etc.
Contractors and temporary staff with remote access privileges must ensure that their computers are
not connected to any other network while connected to FCBOE’s network via remote access, with
the obvious exception of Internet connectivity.
In order to avoid confusing official school business with personal communications, employees,
contractors, and temporary staff with remote access privileges must never use non-school system
e-mail accounts (eg. Hotmail, Yahoo, etc.) to conduct FCBOE business.
No employee is to use Internet access through school networks via remote connection for the
purpose of illegal transactions, harassment, competitor interests, or obscene behavior, in
accordance with other existing FCBOE policies.
All remote access connections must include a “time-out” system. In accordance with FCBOE’s
security policies, remote access sessions will time out after 10 minutes of inactivity, and will
terminate after two hours of continuous connection. Both time-outs will require the user to
reconnect and re-authenticate in order to re-enter company networks. Should a remote user’s
account be inactive for a period of seven days, access account privileges will be suspended until
the IT department is notified.
If a personally- or school-owned computer or related equipment used for remote access is
damaged, lost, or stolen, the authorized user will be responsible for notifying their manager and
FCBOE’s IT department immediately.
The remote access user also agrees to immediately report to their manager and FCBOE’s IT
department any incident or suspected incidents of unauthorized access and/or disclosure of school
resources, databases, networks, etc.
The remote access user also agrees to and accepts that his or her access and/or connection to
FCBOE’s networks may be monitored to record dates, times, duration of access, etc., in order to
identify unusual usage patterns or other suspicious activity. As with in-house computers, this is
done in order to identify accounts/computers that may have been compromised by external parties.
Franklin County Schools will not reimburse employees for school-related remote access
connections made on a pre-approved privately owned ISP service.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 25
Non-Compliance Failure to comply with the Remote Access Agreement may result in the suspension of remote access
privileges, disciplinary action, and possibly termination of employment.
Employee Declaration
I, [employee name], have read and understand the above Remote Access Agreement, and
consent to adhere to the rules outlined therein.
______________________________________
__________________________________
Employee Signature Date
______________________________________
__________________________________
Manager Signature Date
______________________________________
__________________________________
IT Administrator Signature Date
_____________________________________________________
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 26
CHAPTER EIGHT PRINTERS
Purpose Printers represent one of the highest equipment expenditures at Franklin County Board of Education. The
goal of this chapter is to facilitate the appropriate and responsible use of Franklin County Schools’ printer
assets, as well as control FCBOE’s printer cost of ownership by preventing the waste of paper, toner, ink,
and so on.
Scope This chapter applies to all employees of Franklin County Schools, as well as any contract employees in the
service of Franklin County Schools who may be using FCBOE networks and equipment.
Supported Printers FCBOE supports the printers named in the Standard Equipment List, which is updated yearly. An effort
has been made to standardize on specific printer models in order to optimize contractual agreements and
minimize support costs. The list indicates the model, resolution, location, and capabilities (e.g. color
printing, double-sided printing, large print jobs, special paper types) of all FCBOE printers.
General
Printers are to be used for documents that are relevant to the day-to-day conduct
of business at all schools and the central office. FCBOE printers should not be
used to print personal documents.
Installation of personal printers is generally not condoned at FCBOE schools due
to the cost of maintaining and supporting many dispersed machines.
Do not print multiple copies of the same document – the printer is not a copier
and typically costs more per page to use. If you need multiple copies, print one
good copy on the printer and use the photocopier to make additional copies.
If you print something, please pick it up in a timely fashion. If you no longer want
it, please dispose of it appropriately (i.e. recycle).
If you come across an unclaimed print job, please stack it neatly next to the
printer. All unclaimed output jobs will be discarded after one week.
Make efforts to limit paper usage by taking advantage of duplex printing (i.e.
double-sided printing) features offered by some printers and other optimization
features (e.g. printing six PowerPoint slides per page versus only one per page).
Make efforts to limit toner use by selecting light toner and lower dpi default print
settings.
Avoid printing large files, as this puts a drain on network resources and interferes
with the ability of others to use the printer. Please report any planned print jobs in
excess of ten pages to the IT department so that the most appropriate printer can
be selected and other users can be notified.
If printing a job in excess of 25 pages, please be at the printer to collect it when it
comes out to ensure adequate paper supply for the job and that the output tray is
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 27
not overfull (i.e. you may need to remove some of the output before the print job
is finished).
Avoid printing e-mail messages. Instead, use the folders and archiving
functionality in your e-mail application to organize and view your messages.
Avoiding printing a document just to see what it looks like. This is wasteful.
Avoid re-using paper in laser printers, as this can lead to paper jams and other
problems with the machine.
Many printers do not support certain paper types, including vellum,
transparencies, adhesive labels, tracing paper, card stock, or thicker paper. If you
need to use any of the paper types, consult with IT to find out which machines can
handle these specialty print jobs.
Color printing is typically not required by general office users. Given this
selective need, as well as the high cost per page to print color copies, the number
of color-capable printers available has been minimized. You are strongly
encouraged to avoid printing in color when monochrome (black) will do.
Printer paper is available at each school. Toner cartridges are available at each
department.
If you encounter a physical problem with the printer (paper jam, out of toner, etc.)
and are not “trained” in how to fix the problem, please do not try. Instead, report
the problem to the vendor or ask a trained co-worker for help.
Report any malfunction of any printing device to Tech Support as soon as
possible.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 28
CHAPTER NINE MOBILE DEVICE MANAGEMENT
SMARTPHONES
All requests to purchase or use Smartphones for educational purposes must be reviewed by the IT
Department to ensure that the equipment is compatible with the existing IT environment.
The IT Department will assist employees with the set up of school-owned Smartphones, including
business-use software installation. Employees are solely responsible for the maintenance and general
upkeep of their assigned Smartphone.
I, [supervisor’s name], am the supervisor for [employee’s name]. I approve the use of
his/her Mobile Device to conduct and access information for the following purposes:
1.
2.
3.
[Employee’s name] assumes liability for corporate and personal information stolen,
lost or misused. Employees will be required to sign a waiver before accessing
corporate information on their Mobile Devices.
________________________________ ____________
Employee’s Signature Date
________________________________
Employee’s Name (Printed)
________________________________
Supervisor’s Signature
Please provide this form to the technician at the time of the issue.
_____________________________________________________
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 29
CHAPTER TEN PASSWORDS
Purpose Passwords are a critical part of information and network security. Passwords serve to protect user accounts,
but a poorly chosen password, if compromised, could put the entire network at risk. As a result, all
employees of Franklin County Schools are required to take appropriate steps to ensure that they create
strong, secure passwords and keep them safeguarded at all times. The purpose of this chapter is to set a
standard for creating, protecting, and changing passwords such that they are strong, secure, and protected.
Scope This chapter applies to all employees of Franklin County Schools who have or are responsible for a
computer account, or any form of access that supports or requires a password, on any system that resides at
any Franklin County Schools facility, has access to the FCBOE network, or stores any non-public FCBOE
information.
Expiration Passwords must be changed every semester, or 180 days.
Old passwords cannot be re-used for a period of 12 months.
All passwords must conform to the guidelines outlined below.
Password Construction Guidelines Passwords are used to access any number of school systems, including the network, e-mail, the Web, and
voicemail. Poor, weak passwords are easily cracked, and put the entire system at risk. Therefore, strong
passwords are required. Try to create a password that is also easy to remember.
1. Passwords should not be based on well-known or easily accessible personal information.
2. Passwords must contain at least seven characters.
3. All passwords must start with a letter.
4. Passwords must contain at least six lowercase letters (e.g. t).
5. Passwords must contain at least one numerical characters (e.g. 5).
6. Passwords should not contain special characters (e.g. $).
7. A new password must contain at least five characters that are different than those found in the old
password which it is replacing.
8. Passwords must not be based on a users’ personal information or that of his or her friends, family
members, or pets. Personal information includes logon I.D., name, birthday, address, phone
number, social security number, or any permutations thereof.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 30
9. Passwords must not be words that can be found in a standard dictionary (English or foreign) or are
publicly known slang or jargon.
10. Passwords must not be based on publicly known fictional characters from books, films, and so on.
11. Passwords must not be based on the school system’s name or geographic location.
Password Protection Guidelines 1. Passwords should be treated as confidential information. No employee is to give, tell, or hint at
their password to another person, including IT staff, administrators, superiors, other co-workers,
friends, and family members, under any circumstances.
2. If someone demands your password, refer them to this policy or have them contact the IT
Department.
3. Passwords are not to be transmitted electronically over the unprotected Internet, such as via e-
mail. However, passwords may be used to gain remote access to company resources via the
company’s IPsec-secured Virtual Private Network or SSL-protected Web site.
4. No employee is to keep an unsecured written record of his or her passwords, either on paper or in
an electronic file. If it proves necessarily to keep a record of a password, then it must be kept in a
controlled access safe if in hardcopy form or in an encrypted file if in electronic form.
5. Do not use the “Remember Password” feature of applications.
6. Passwords used to gain access to school systems should not be used as passwords to access non-
school accounts or information.
7. If possible, don’t use the same password to access multiple school systems.
8. If an employee either knows or suspects that his/her password has been compromised, it must be
reported to the IT Department and the password changed immediately.
9. The IT Department may attempt to crack or guess users’ passwords as part of its ongoing security
vulnerability auditing process. If a password is cracked or guessed during one of these audits, the
user will be required to change his or her password immediately.
Enforcement Any employee or student who is found to have violated FCBOE policy may be subject to disciplinary
action, up to and including suspension.
_____________________________________________________
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 31
CHAPTER ELEVEN NETWORK SECURITY FOR PORTABLE COMPUTERS
Introduction Portable computers offer staff the ability to be more productive while on the move. They offer greater
flexibility in where and when staff can work and access information, including information on our
corporate network. However, network-enabled portable computers also pose the risk of data theft and
unauthorized access to our corporate network. Any device that can access the corporate network must be
considered part of that network and therefore subject to policies intended to protect the network from harm.
Any portable computer that is proposed for network connection must be approved and certified by the IT
department.
Protecting the Laptop In order to qualify for access to the FCBOE network, the laptop must meet the following conditions:
Network settings must be reviewed and approved by IT support personnel.
Anti-virus software must be installed. Software must have active scanning and be kept up-to-date.
Recommended anti-virus software is Norton Antivirus .
Laptop User’s Responsibilities 1. The user of the laptop is responsible for physical security of the laptop whether they are
onsite, at home, or on the road.
2. The user of the laptop is responsible for keeping their anti-virus scanning software up-to-date
at all times. It is strongly recommended that they update their anti-virus software before going
on the road.
Security Audits The IT department reserves the right to audit any laptop used for school business to ensure that it continues
to conform to this certification policy. The IT department will also deny network access to any laptop
which has not been properly configured and certified.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 32
CHAPTER TWELVE HUMAN RESOURCES CONSIDERATIONS
Compliance All employees must comply with the Information Security procedures of the Franklin County Schools.
Any Information Security incidents resulting from non-compliance will result in immediate disciplinary
action. All staff will have previous employment and other references checked prior to employment, in
addition to a background check.
Job Descriptions Where job descriptions and duties make no reference to Information Security other than for technical staff,
employees may be under the mistaken impression that they are not responsible for Information Security.
All employees should abide by these procedures and Franklin County Schools must protect itself against
hiring individuals ill suited for the position. Most if not all employees are given access to Franklin County
Schools information systems and the security risks should be addressed with all employees.
Third Party Inclusion This risk also exists with contracted, third party individuals, especially those hired to work with software
and/or hardware within the system. All external suppliers of contracted services to the Franklin County
Schools must agree to follow the procedures stated herein . An appropriate summary of our Information
Security Procedures must be delivered to any such supplier prior to engaging in contracted services.
Security of Keys The lending of keys whether physical or electronic is prohibited. This requirement should be noted in
employment contracts. Keys should be issued to authorized staff only.
Intellectual Property Rights All Intellectual Property Rights over work done by employees of Franklin County Schools as part of their
normal duties is to be owned by the Franklin County Schools. If the school system wishes to own the
Intellectual Property Rights over work done by third parties or contractors, it must ensure that the
agreement or contract with the third party or contractor covers this issue.
Protecting Confidentiality All employees of Franklin County Schools must protect the confidentiality of information, both during and
after employment with Franklin County Schools. All employee data is to be treated as strictly confidential
and made available only to authorized persons or agencies. The disclosure of this type of information is
covered by data privacy legislation.
Access to System-owned Information Notwithstanding the Franklin County Schools’ respect for employee privacy in the workplace, it reserves
the right to have access to all information created and stored in the school system’s network, to include
work done by students. In cases in which the monitoring of employee activity is perceived as intrusive
and/or excessive and in contravention of Human Rights Laws, legal proceedings may result in fines and
other penalties for Franklin County Schools.
References Only authorized personnel may give employee references. The preparing of references is a specialized
process and should only be undertaken by properly trained and authorized persons. When giving
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 33
references, Franklin County Schools system personnel must ensure that they are aware of who is requesting
the information and why. Passing inaccurate or inappropriate personal reference details to third parties
may result in liability claims.
Staff Disaffection Management of the Franklin County Schools must respond quickly yet discreetly to indications of staff or
student disaffection, communicating as necessary with Human Resources management and the Chief
Technology Officer. Disaffected staff can present a significant risk as they are still deemed trusted
employees, but their potential to inflict damage is high. All staff will usually become aware of what
information assets are of value to the organization and, although they may not have direct access to
information themselves, they may be able to obtain access through personal relationships. Staff whose
personal circumstances have changed significantly or who have a grievance may begin to act differently.
Their change in behavior could alert to the possibility of a breach or attempted breach of Information
Security.
Staff Leaving Employment Upon notification of staff resignations, Human Resources management must consider with the Chief
Technology Officer whether the staff member’s continued access rights constitute an unacceptable risk to
Franklin County Schools and, if so, revoke all access rights. Departing staff must be treated sensitively,
particularly with regard to the termination of their access privileges. System and access rights of departed
personnel must be terminated immediately.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 34
CHAPTER THIRTEEN STAFF AWARENESS AND TRAINING
Permanent staff is to be provided with Information Security awareness tools to enhance awareness and
educate them regarding the range of threats and the appropriate safeguards. Temporary staff must receive
an appropriate summary of Information Security policies prior to beginning work with the Franklin County
Schools. Franklin County Schools’ leadership must lead by example ensuring that Information Security is
given a high priority in all activities and initiatives.
Providing Updates to Staff Franklin County Schools is committed to providing regular and relevant Information Security awareness
communication to all staff by various means, including electronic updates, briefings, and newsletters, etc.
Feedback will be sought by the IT Department on the effectiveness of the system’s policies.
Security Training for New Systems Franklin County Schools is committed to providing training to all users of new systems to ensure that their
use is both efficient and does not compromise Information Security. New systems should be able to be
implemented without concerns to Information Security , downgrading of the current security framework, or
other security breaches.
Information Security Training for IT Staff Periodic training for all IT Department staff will be prioritized to educate and train in the latest threats and
Information Security techniques. Individual training in Information Security is mandatory, with any
technical training being appropriate to the responsibilities of the user’s job functions. Where staff change
jobs, their Information Security needs must be re-assessed and any new training provided as a priority.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 35
CHAPTER FOURTEEN PREMISES SECURITY
Site Selection Sites selected for installation of computers and/or store data must be suitably protected from physical
intrusion, theft, fire flood, and other hazards. In the context of Information Security, “premises” refers to
any area in which hardware is located; it may range from a corner in an office to an entire building. It is
important to consider the choice of premises for computer hardware carefully because it is difficult to make
changes once a location, or site, has been selected. The physical security measures adopted will depend
upon the value of the hardware, the sensitivity of the data, and the required level of service resilience.
Challenging Strangers All employees of Franklin County Schools are to be aware of the need to challenge strangers on school
property, to include computer premises. Strangers may be a new staff member or they may be someone
intent upon doing damage to the security of the schools, so employees must not be afraid to challenge
strangers.
Data Storage On-site and remote locations where data is stored must provide access control and protection which reduce
the risk of loss or damage to an acceptable level. Data stores hold removable media vital to the backup and
recovery process.
Security of Keys The lending of keys whether physical or electronic is prohibited. This requirement should be noted in
employment contracts. Keys should be issued to authorized staff only.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 36
CHAPTER FIFTEEN DETECTING & RESPONDING TO INFORMATION SECURITY INCIDENTS
Reporting All suspected Information Security incidents must be reported to the Chief Technology Officer. An
Information Security Incident may be defined as any occurrence which in itself does not necessarily
compromise Information Security, but which could result in it being compromised. An example is a
multiple login failure on a single user account, leading to that account being locked out. Another example is
finding a computer logged onto the network with no recognizable username or evidence of multiple
attempts to access the network. Information Security breaches must be reported to the Chief Technology
Officer without delay in order to speed the identification of any damage caused, any restoration and repair,
and to facilitate the gathering of any associated information. Persons witnessing Information Security
breaches or incidents must report them as above without delay.
The Chief Technology Officer will be responsible for reporting Information Security incidents to outside
agencies when required to do so, such as third party ISP, county agencies, law enforcement, etc.
Responding The Chief Technology Officer must respond to reported incidents rapidly and under control, coordinating
with colleagues for the gathering of all relevant information or evidence and offering advice. Evidence
related to a suspected breach or incident must be formally recorded and processed.
System Weaknesses The Chief Technology Officer will be notified immediately of all identified or suspected Information
Security weaknesses.
Responsibility Information Security is everybody’s responsibility. Awareness and vigilance to possible breaches is the
best way to minimize the intended consequences of an actual Information Security breach.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 37
CHAPTER SIXTEEN OPERATIONS CONTINUITY MANAGEMENT
Planning The Franklin County Schools system is responsible for initiating an Operations Continuity Plan for the
continuation of key operational services in the event of an unexpected occurrence which may seriously
disrupt the essential and critical business processes of the system. This may also be referred to as a
Disaster Recovery Plan. The Plan must contain a series of critical actions which will lead to the return of
normal operations. Failure to develop an OCP which is viable and tested or fails when enacted may result
in the organization’s operations not being able to recover – ever. The Plan must be approved by the
Franklin County Board of Education.
Risk Assessment It is highly recommended that a formal risk assessment be conducted in order to determine the
requirements for an Operations Continuity Plan. The Risk Assessment must analyze the nature of such
unexpected occurrences, their potential impact, and the likelihood of these occurrences becoming serious
incidents. Sufficient financial and human resources must be allocated if the resultant plan is to succeed.
Testing the OCP/DRP The Operations Continuity Plan must be periodically tested to ensure that the management and staff
understand how it is to be executed. Where the OCP testing does not reproduce authentic conditions, the
value of such testing is limited. A failure to analyze the OCP Test Plan results will likely detract from the
value of the test.
Awareness If an OCP is to be executed successfully, all personnel must not only be aware that the plan exists, but also
know its contents and the duties and responsibilities of each party. All staff must be made aware of the
OCP and of their own respective roles.
Maintaining and Updating the OCP/DRP The OCP must be kept up to date and re-tested periodically. It is suggested that the OCP be tested at least
annually, with the results used to update the plan.
FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE
Franklin County Schools 2010-2013 38
CHAPTER SEVENTEEN REQUESTS FOR TECHNICAL SUPPORT
IT Department technical support for all Information Security or IT-related equipment or software issues
may be obtained by logging into the Tech Request Web Site at https://login.bigwebapps.com. Use the
email address that was assigned as the username and fcboe as the initial password. The password may be
changed after initial entry. Again, it is important to note that the Tech Request Web Site may be accessed
from anywhere the person has access to the world wide web.
Once Login is established, select FCBOE IT Support from the menu to submit a work request, or ticket. If
you have a work request for the FCBOE Maintenance Department, the selection would be FCBOE
Maintenance.
Prior to creating a new ticket, please read the Troubleshooting Tips located on the right hand side of the
page to see if any of these steps can solve the problem or issue you are experiencing. If you are not able to
resolve an issue with the Troubleshooting Tips, proceed to Create a New Ticket with yourself as the user.
The Internal Location* must be entered, and the program will default to your assigned school or other
location. If this is incorrect, use the drop down arrow to select the correct location.
The Class* of ticket must be entered and you can use the drop down arrow to select the appropriate Class.
The Technician will automatically be assigned the ticket based on your location. ID Method assists the IT
Department with the exact location of the piece of equipment or software being addressed in the ticket, so
please specify exactly where the item is located. The exact Room Number* where the problem is located
must be entered. Every school has a list of Room Numbers, and this is needed in order to further identify
the location.
If a computer problem the Computer Name can be entered so that the technician can use Remote Desktop
procedures to solve the issue quicker. The Computer Name may be found by right-clicking My Computer,
left clicking Properties, and selecting the Computer Name tab. Please enter the complete Computer Name
exactly as listed under the Name Tab. Somewhere on the device is an FCBOE Asset Tag, a small white tag
with “Property of Franklin County School System” on the top over a bar code, and then a six-digit number
beneath the bar code. This tag number must be reported prior to the technician’s acceptance of the work
order because FCBOE Technicians are prohibited from working on items that do not belong to the FCBOE.
If the ticket is a telephone service issue, please type in the telephone number of the phone, and then indicate
the best time for a technician to come to your location to resolve your issue. The ticket must be given a
Subject Heading, such as Cannot Access Network on Office Computer. Below the subject heading, in the
Text box, please type as much specific information as possible about the problem or issue in order to fully
explain what you are experiencing. This will speed up resolution of the problem. Once completed, click
on Save & Close beneath the text in order to submit your ticket to the appropriate computer technician. A
message will be generated to the technician and to you containing the information you entered.
top related