information technology policies

INFORMATION TECHNOLOGY

SECURITY AND PROCEDURES MANUAL

FOR THE

FRANKLIN COUNTY SCHOOLS,

WINCHESTER, TENNESSEE

2010-2014

FRANKLIN COUNTY SCHOOLS, WINCHESTER, TENNESSEE

Franklin County Schools 2010-2013 2

Contents

Introduction: Using Information Security ………………….…………………………………. 2 Supervision: ……………………………………………………………………………………. 2

CHAPTER 1 HARDWARE, PERIPHERALS, AND OTHER EQUIPMENT…………………………………………. 6

Purpose and Scope …………………………………………………. 6 New Equipment Installation ………………………………………. 7 Testing Systems and Equipment …….………………………….. 7 General Procedures ………………………………………………… 7 Standard Items ………………………………………………………. 7 Non-Standard Items ………………………………………………… 7 Payment ……………………………………………………………… 8 Technology Grant Coordination ………………………………….. 8 Cabling, UPS, Printers, & Modems ……………………………….. 8 Consumables …………………………………………………………. 9 Working Off Campus or Traveling ………………………………… 9 Using Secure Storage ……………………………………………….. 9 Documenting Hardware …………………………………………….. 10 Other Hardware Issues ……………………………………………… 10 Check Out Equipment ……………………………………………… . 10

CHAPTER 2 CONTROLLING ACCESS TO INFORMATION AND SYSTEMS ……………………………… . 11

Managing Access Control Standards …………………………….. 11 Storage Limits ………………………………………………………… 11

CHAPTER 3 PROCESSING INFORMATION AND DOCUMENTS ……………………………………………………. 12

Downloading Files and Information from the Internet …………… 12 Use of Email …………………………………………………………….. 12 Use of the Internet for Work Purposes …………………………….. 13 Web Sites ……………………………………………………………… 13 Telephone Conference Calls …………………………………………. 13 Videoconferencing ……………………………………………………… 14 Recording of Telephone Conversations ……………………………. 14 Misdirected Fax Information ………………………………………… 14 Ordering Items Over the Telephone …………………………………. 14 Data Management ……………………………………………………… 14

Backing Up Data …………………………………………………………. 15 Security of Personal Information …………………………………… 15

CHAPTER 4 SOFTWARE ACQUISITION AND ACCEPTANCE TESTING …………………. 16 Scope ………………………………………………………………………. 16 Responsibility for Compliance ………………………………………… 16 Identifying Software to Acquire ……………………………………….. 16



CHAPTER 4 (cont) Conducting Software Evaluations ……………………………………..16 Conducting Documentation Evaluations ……………………………..16 Software Evaluation Forms …………………………………………. 17 Documenting Corrective Actions …………………………………… 17 Ensuring Corrective Actions are Completed …………………….. 17 Software Acceptance Checklist …………………………………….. 17 Suggested Actions Prior to Software Approval ………………….. 18 Top Ten Questions to ask your Software Vendor ………………… 19

CHAPTER 5 PHYSICAL SECURITY OF NETWORK DEVICES ………………………….. . 20 CHAPTER 6 WIRELESS SECURITY …………………………………………………………... 21 CHAPTER 7 REMOTE ACCESS AND AGREEMENT ……………………………………….. 22 Purpose …………………………………………………………………... 22 Scope …………………………………………………………………… .. 22 Supported Technology ………………………………………………… 22 Eligible Users ……………………………………………………………. 23 Appropriate Use …………………………………………………………. 23 Non-Compliance ………………………………………………………….25 Employee Declaration ……………………………………………………25 CHAPTER 8 PRINTERS ……………………………………………………………………………26 Purpose …………………………………………………………………….26 Scope ……………………………………………………………………….26 Supported Printers ……………………………………………………….26 General ……………………………………………………………………..26 Employee Declaration ……………………………………………………28 CHAPTER 9 PERSONAL DIGITAL ASSISTANTS (PDA) ……………………………………..29 CHAPTER 10 PASSWORDS ………………………………………………………………………. 30 Purpose ……………………………………………………………………..30 Scope ……………………………………………………………………..…30 Expiration ………………………………………………………………...…30 Password Construction Guidelines ……………………………………30 Password Protection Guidelines ……………………………………….31 Enforcement ………………………………………………………………..31 CHAPTER 11 NETWORK SECURITY FOR PORTABLE COMPUTERS …………………...…32 Introduction ……………………………………………………………...…32 Protecting the Laptop …………………………………………………….32 Laptop User’s Responsibilities ………………………………………….32 Security Audits ……………………………………………………………..32 Declaration of Understanding ……………………………………………33 Declaration of Certification ………………………………………………33 CHAPTER 12 HUMAN RESOURCES CONSIDERATIONS …………………………………….. 34

Compliance ………………………………………………………………… 34



CHAPTER 12 (cont) Job Descriptions ………………………………………………………….. 34 Third Party Inclusion ………………………………………………………34 Security of Keys ………………………………………………………….. 34 Intellectual Property Rights …………………………………………… .34 Protecting Confidentiality ……………………………………………… .34 Access to System-Owned Information ………………………………. .34 References …………………………………………………………………. 34 Staff Disaffection …………………………………………………………..35 Staff Leaving Employment ……………………………………………….35 CHAPTER 13 STAFF AWARENESS & TRANING ………………………………………36

Providing Updates to Staff ……………………………………………….36 Security Training for New Systems …………………………………….36 Information Security Training for IT Staff ……………………………..36

CHAPTER 14 PREMISES SECURITY …………………………………………………….35

Site Selection ……………………………………………………………….35 Challenging Strangers …………………………………………………….35 Data Storage ……………………………………………………………… ..35 Security of Keys ……………………………………………………………35

CHAPTER 15 DETECTING & RESPONDING TO INFORMATION SECURITY INCIDENTS ………………………………..36 Reporting ……………………………………………………………………36 Responding …………………………………………………………………36 System Weaknesses ………………………………………………………36 Responsibility ………………………………………………………………36

CHAPTER 16 OPERATIONS CONTINUITY MANAGEMENT ………………………..37 Planning ……………………………………………………………………..37 Risk Assessment …………………………………………………………..37 Testing the OCP/DRP ……………………………………………………. .37 Awareness ………………………………………………………………… .37 Maintaining and Updating the OCP/DRP ………………………………37 CHAPTER 17 REQUESTS FOR TECHNICAL SUPPORT ……………………………38



Introduction: Using Information Security

The purpose of this manual is to ensure system-wide security of Franklin County Schools’ information

technology network. It augments security guidance previously published in the approved District

Technology Three-Year Plan and Franklin County Board of Education (FCBOE) policies relating to use

of the internet and electronic mail, available on the Franklin County Schools’ website under FCBOE

Online Policies.

While the procedures herein lay a solid foundation for the development and implementation of secure

practices for Franklin County Schools, the procedures themselves are not instructional or overly

descriptive. Compliance will require an understanding by faculty and staff of not only the individual

procedures, but also of the circumstances in which such compliance is expected in day-to-day activities.

Knowing the procedures is only one-half of the equation – everyone needs to know how they should

comply, from a procedural perspective.

Supervision

Teachers and Supervisors are reminded that, in accordance with the District Technology Plan, “Teachers

are required to monitor online activities of students.” This will greatly reduce incidents of hacking and

other inappropriate behavior by students or staff which can lead to reduced effectiveness of the system-

wide network.



CHAPTER 1 HARDWARE, PERIPHERALS, AND OTHER EQUIPMENT

Purpose and Scope This chapter covers all information technology hardware, software, and computer-related components

purchased with Franklin County Schools funds. Specifically, the following technology resources are within

the scope:

Desktops, laptops, personal digital assistants, cell phones, iPads, and servers.

Software running on the devices mentioned above (see Chapter 4).

Peripheral equipment, such as printers and scanners.

Cables or connectivity-related devices.

Audio-visual equipment, such as projectors and document cameras.

All hardware, software, or components purchased with school funds are the property of FCBOE. This also

includes all items purchased using a personal credit card for which the employee is later reimbursed. The

Technology Department is charged with performing the maintenance, repair, and replacement for school

building technology equipment; however, the department is not funded for the purchase of all replacement

parts or other items for all the schools.

All purchases of new systems hardware or new components for existing hardware must take into

consideration Information Security and FCBOE policies, as well as technical standards. Such requests to

purchase must be based upon user requirements and take into account long-term organizational needs

because of the expense involved in making subsequent changes. Information Security issues to be

considered when planning for purchases or accepting donated equipment include the following:

The system must have adequate capacity or else it may not be able to process your data.

Data must be adequately protected; otherwise, there is a risk of loss or accidental/malicious

damage.

The system must be sufficiently resilient to avoid unplanned down-time, which can have an

immediate negative impact upon the school.

It is necessary to understand, in detail, the specific functional performance and capacity requirements as

part of the hardware purchasing process. For this reason, departments must consult with the Information

Technology Department before submitting requisitions for new hardware. This is because, without

adequate analysis, the school board may:

Purchase inappropriate hardware for the desired task.

Purchase a system that does not comply with the school’s technical architecture or technology

strategy.

Fail to achieve the best value when such things as price, performance, reliability, capacity, and

support issues are considered.

Supply confidential information to a vendor without the need-to-know.

A number of comparable bids may be necessary to make an informed comparison and purchase

appropriately because without these there is the risk of a sub-optimum quote.



New Equipment Installation Installation of new equipment must be properly considered and planned to avoid unnecessary disruption

and to ensure that Information Security issues are adequately covered. Planning considerations for new

equipment installation include the following:

The equipment must be located in a suitable environment; otherwise, it may fail.

Any disclosure of network environment, security features, locations, configurations, etc., during

installation exposes potential vulnerabilities which could be exploited.

Efforts will be made to avoid disruption to activities such as classes, tests, exams, etc., and to

avoid disruption to other operational systems.

Testing systems and equipment

All equipment must be fully and comprehensively tested and formally accepted by the IT Department

before being transferred to the live environment. Hardware should be tested when new to verify it is

working correctly, and then further tests applied periodically to ensure continued effective functioning.

General Procedures If an employee or department wishes to purchase hardware, software, or computer-related

components, they should review the Standard Items list first. If a desired item does not appear

on the Standard Items list, then see the procedure for Non-Standard Items below.

All purchase requests for hardware, software, or computer-related components must first be

approved by a Principal or Supervisor before submission to the IT department. In all cases,

the request for purchase must be justified.

All requests must be submitted to the IT department for final purchase approval. If the

requested item is already in inventory, then it will be made available to the requestor within

two business days, assuming justification of need is sufficient. All approved requests for items

not in inventory will be forwarded to Franklin County Finance Purchasing for processing.

Non-standard items found connected to the network may be removed from the network at the

IT department’s discretion.

Standard Items The Standard Items list contains pre-approved vendors and products upon which FCBOE has standardized.

Standard items have been proven to be both supportable by the IT department as well as cost-effective.

All items on the Standard Items list will be reviewed for cost effectiveness, reliability, acquisition time, and

quality of vendor support at least every six months. The Standard Items list is maintained by the IT

Department and is available upon request.

Non-Standard Items There are some instances in which the purchase of non-standard items (i.e. items not appearing on the

Standard Items list) can be purchased.

In the event of an emergency where purchasing items through regular channels and waiting

for delivery will take too long.



In the event that an employee or department needs specialized software or some other

component that is not on the standard items list, but is required to perform work or complete a

project.

Employees or departments requesting non-emergency specialized software or components must submit a

plan detailing how this item will be supported before approval will be granted. Support options include

assigning a staff member to maintain and/or support the component, arranging for external vendor support,

or arranging for a service level agreement with the IT department.

Payment Because of the expense involved, the Technology Department will purchase replacement lamps for LCD

projectors where needed. All other purchases for consumables such as ink, toner, and cartridges, as well as

replacement parts required for repair or maintenance of technology equipment must be made by the schools

within their budget allowances. Exceptions in unusual circumstances are at the discretion of the Chief

Technology Officer.

The following items will be paid for out of the IT department’s budget:

Replacement lamps for LCD (or data) projectors.

Servers and the parts associated with the upkeep of this equipment, including UPS.

Switches, cables, raceway, and other items associated with networking the computers.

The following items will not be paid for by the IT department, and therefore must be paid for out of

individual departments’ operating budgets:

All other replacement parts or consumables (ink, cartridges, toner, bulbs, etc.)

Surge protection and Uninterruptable Power Supply (UPS) for non-server hardware.

Out of warranty parts or replacements.

Technology Grant Coordination Notice of intent to apply for technology-related grants to fund purchases of hardware, software, or other

programs should be sent in advance to the IT Department in order to coordinate the endeavor system-wide.

The purpose is not for the IT Department to serve as the grant writer or provide final approval for grants,

but to become the clearinghouse for the many technology-related grants for which it is possible to apply

and to keep key players informed of potential funding resources. This will eliminate redundancy in grant

submissions and reduce potential conflict among schools/programs within the system. The FCBOE IT

Department also stands ready to assist with grant-writing endeavors if required. The Point of Contact for

grant matters at the IT Department is Jody Starnes, Administrative Assistant to the CTO.

Cabling, UPS, Fax Machines, Printers and Modems

An Uninterruptible Power Supply (UPS) is to be installed on all critical computer equipment to ensure the

continuity of services during power outages. The UPS differs from the surge protector in that it not only

provides surge protection during voltage spikes, but also uses a battery or batteries to provide continuous

power if electricity is lost for a period of time. This is a critical component which enables continuity of

function in the event of power failure. This is critical because if the main power fails for any reason, your

system will crash and data files may be corrupted. A malfunctioning UPS may cause your systems to crash

in an uncontrolled manner following a main electrical failure. Such crashes can often corrupt data files.



Sensitive or confidential information may only be faxed where more secure methods of transmission are

not feasible. Both the owner of the information and the intended recipient must authorize the transmission

in advance. The information security risks associated with use of fax machines stems from the relative

insecurity of the medium, which may lead to confidential data being disclosed to unauthorized persons, or

fraudulent incoming messages resulting in action being taken that is detrimental to the organization.

Printers output information on a continual basis in many offices, and the content of that information can

vary from inconsequential intra-office notices to highly confidential information containing personal

identification and information. If sensitive information must be sent to a network printer, ensure the

presence of an authorized person to safeguard confidentiality during and after printing. This will ensure

that confidential information is not revealed to unauthorized persons and printed stationery is not used

fraudulently.

Network cabling remains a vulnerable target as it can be exposed and unprotected. Malicious damage to

networks can cause disruption to processing and communications. Illegal hacking into networks may

compromise data and security measures, such as user names and passwords. Accidental damage to cabling

can threaten data processing. Network cabling must be installed and maintained by IT Department

personnel to ensure the integrity of both the cabling and the wall-mounted sockets. Any unused network

wall sockets should be sealed off and their status formally noted.

Consumables

Printer ink, printer toner, paper, forms, and stationery must be purchased by schools for their staff’s use and

usage monitored to discourage theft and improper use. Pilfering of consumables results in increased

organizational expense and confidential data may be revealed to unauthorized persons from discarded

consumables, e.g. discarded draft printer output. Shredders should be used to destroy documents

containing confidential or sensitive information, or any form of personal information.

Working Off Premises or Traveling with Computer Equipment

Supervisors must authorize the issue of mobile devices. Laptops, portables, iPads, Smartphones, or

organizers that connect to and store data are included. Collectively, they are referred to as mobile devices.

Usage is restricted to school business and users must be aware of and accept the terms and conditions of

use, especially the responsibility for the security of the equipment and information held on such devices.

Persons issued mobile devices who intend to travel for school business purposes must be made aware of the

information security risks relating to portable computing equipment and implement the appropriate

safeguards to minimize risk. Also, any movement of hardware between schools is the authority of the IT

Department. Re-location of serial numbered items requires that Budget Managers document the re-location

each time the items are moved, for inventory purposes and security management.

Using Secure Storage

Sensitive or valuable material and equipment must be stored securely and guarded against theft or

vandalism. Valuable material is identified by the Franklin County School System Bar Code tag placed on

the item at the time of delivery to the user. If the material or equipment has a tag, it is of sufficient value to

warrant secure storage and safeguarding. Information of a personal or valuable nature may be classified by



the school system as requiring secure storage. Lockable storage filing cabinets or cases must be used to

store these documents with valuable school information contained thereon.

Documenting Hardware

Hardware documentation must be kept up-to-date and readily available to the staff who are authorized to

support or maintain the systems. “Documentation” refers to operator manuals and technical documentation

supplied by the vendors or supplier. A register or data base of all computer equipment used in the schools

is maintained by the use of the FCBOE Fixed Asset Program.

Other Hardware Issues

Equipment owned by Franklin County Schools may only be disposed of by authorized personnel who have

ensured that the relevant security risks have been mitigated. All users of workstations, PCs, laptops, are to

ensure that their screens are blank when not being used, i.e., log off the computer when finished working

and when departing the classroom or office. This will prevent exposure of confidential material that can be

read from the screen, especially when the workstation is logged on and the user is away from the desk.

Sensitive or confidential information must not be recorded on answering machines or left in voicemail.

Leaving such information on a recording device is a breach of confidentiality. Only suitable and approved

cleaning materials are to be used on equipment owned by Franklin County Schools. Deliberate or

accidental damage to school property must be reported as soon as discovered.



CHAPTER 2 CONTROLLING ACCESS TO INFORMATION AND SYSTEMS _______________________________________________________

Managing Access Control Standards

Access control standards for information systems should incorporate the need to balance restrictions to

prevent unauthorized access against the need to provide unhindered access to meet the educational needs of

the schools. Access to school-owned systems must be authorized by the FCBOE for the appropriate users,

and password protection afforded the user having access. Logon screens or banners that supply

information about the system prior to successful logon must not be used and should be removed as they can

assist unauthorized users to gain access.

Equipment is always to be safeguarded appropriately, especially when left unattended. Faculty and

students must log off classroom computers upon completion of use to avoid subsequent use by

unauthorized persons. Computer equipment that is logged on and left unattended can present a tempting

target to unauthorized users on the premises.

Access to the resources on the network must be strictly controlled to prevent unauthorized use. Access to

all computing and information systems and peripherals shall be restricted unless explicitly authorized.

Unauthorized access to programs or applications could lead to fraudulent transactions or false entries,

damage, corruption and inappropriate use of student or school data, hacking, or introduction of viruses.

Access to Operating System commands is restricted to persons performing systems administration under

the control of the IT Department. No one else is authorized access to Operating Systems.

Password use and management is a primary means to control access to systems. Passwords must not be

shared with any other person for any reason.

Access to Information & Documents must be carefully controlled, ensuring that only authorized personnel

have access to sensitive information.

Remote Access to Franklin County Schools systems increases the threat of unauthorized access, and

therefore must be controlled with identification, authentication, and encryption where available. Remote

users who need to communicate directly with the school’s systems to receive/send data and updates will

often be connecting through public networks. This increases the threat of unauthorized access.

Accordingly, remote access may be denied to users if compromise of school data is expected. Please see

Remote Access below.

Devices such as hard drives should not be shared, as this creates a vulnerability and ease of access for

hackers.

Storage Limits Due to limitations in server space and to keep from overloading a network of the size used by the Franklin

County Schools, teacher and staff users are limited to 500MB of storage. Users exceeding this limit will be

asked to remove documents and/or files to comply with the maximum limit of 500MB of storage. Use of

USB flash drives, cloud applications, and/or CD-ROMs for storage is encouraged.



CHAPTER 3 PROCESSING INFORMATION AND DOCUMENTS _______________________________________________________

Appropriate data and information must be made available to authorized persons as and when required. For

all other persons, access to such data is prohibited. Making multiple copies of an original file is

discouraged unless specifically required by Franklin County Schools or FCBOE polices.

Third party access to school information not covered under any Freedom of Information Act is not

permitted unless the risk is considered to be negligible. Allowing persons external to the school system

access to systems and data can not only compromise the confidentiality of the information, but can result in

loss of data validity and integrity.

Downloading Files and Information from the Internet

Great care must be taken when downloading files and information from the internet to safeguard against

malicious code as well as inappropriate material. These pose significant Information Security risks such as

viruses or other malicious codes which infect the entire system. In addition, downloaded software often

requires licensing in order to avoid legal action from the supplier.

Use of eMail

Electronic mail should only be used for school business purposes. Only email accounts created for faculty

and staff by the internet service provider and provided by the FCBOE should be used on the Franklin

County Schools network. Students are not provided with FCBOE email accounts, either individually or

generically. The attachment of data files to messages is only recommended following scanning of the files

for viruses or other malicious codes, not to exceed 5MB. Attachments containing personal or confidential

information must be encrypted (or password-protected).

Email is sent via public lines, which means it is like a post card – anyone who picks it up can read it.

Confidential files or information sent in email or as an attachment is a breach of that confidentiality.

Relying upon email from a legal perspective is not advised as simple email messages are not authenticated.

Personal email sent from one individual to another using the school’s systems may be misconstrued as

coming from the organization itself and may result in Information Security issues.

Incoming email must be treated with the utmost care because of its inherent information security risks.

Opening email with file attachments should not be done until the attachments have been scanned for

viruses or other malicious code.

Data retention periods for email should be established to meet business requirements and adhered to by

staff. Retention of email can consume significant storage capacity on systems, especially where files have

been received and stored. Email “Inboxes” must be cleaned out regularly to remove items from the

network. Remember that Inbox items reside on the network and may be opened and read by any system

administrator or other persons with access to the email system.

Unsolicited email must be treated with caution and never responded to. If the sender is a hacker, this

validates the email address and verifies that a person opened the mail, thus opening the door to the spread

of potential viruses or a denial of service attack.

Users must ensure that information being forwarded in email (especially attachments) is correctly

addressed and is only being sent to appropriate persons. When email is forwarded, the individual is adding



his/her name and details to it. Ensure you are comfortable with the information contained in the original

because any security risk associated with the original mail to you will also apply to the forwarded email.

Users must guard against unauthorized “phishing” for personal information, since reputable firms do not

request this sensitive information via email.

The Franklin County Board of Education (FCBOE) has published a “Use of Electronic Mail” policy (Board

Policy #1.805). Please read and adhere to this policy, noting particularly the legal ramifications to use of

the internet. This policy is available on the Franklin County Schools website under FCBOE Online

Policies.

Use of the Internet for Work Purposes

To reduce the threat of Information Security incidents, administrators are responsible for controlling user

access to the Internet, as well as for ensuring that users are aware of threats and trained in safeguarding

their systems from threats. Inappropriate access and downloads are both a misuse of school system

resources and, in some cases, are illegal. Unauthorized use of the Internet wastes time and resources.

Staff authorized to make payment by credit card (purchasing card or P-card) for items ordered on the

Internet are responsible for its safe and appropriate use. Confidential organizational credit card details

(PINs and account details) may be compromised during transmission. Passing credit card details to

unknown third parties over the Internet compromises security. Lost or stolen credit card numbers are often

posted and used illegally over the Internet.

Web browsers should be used in a secure manner by making use of the built-in security features of the

software concerned. Supervisors and Principals must ensure that staff is made aware of the appropriate

settings for the software concerned. Web browser software and email software are new paths through the

school system’s network’s security shield that could be exploited by an intruder. The security issues are in

the areas of “Cookies,” Java applets, JavaScript, ActiveX controls, and viruses. The use of a firewall may

be inadequate to protect from attack by malicious code activated by the web browser. Confidential data

may be stored and accessed through a cookie saved on your PC and accessed by a web site while the user is

browsing, likely without their knowledge. Staff may not be aware of the necessary settings and related

policy for ensuring security when using web browsers.

Information obtained from Internet sources must be verified before used for school purposes. If

information obtained from the Internet is not verified, decisions made depending upon that information

may be incorrect. There is a substantial amount of misinformation on the Internet.

Web Sites

Web sites are important marketing and information resources for schools, and safety from unauthorized

intrusions is a top priority. Only qualified, authorized persons may amend official school-related web sites

with all changes being documented and reviewed. Disabling web sites for maintenance and updating

affords the greatest opportunity for unauthorized users to gain access and steal or modify data. The

Franklin County Schools webmaster will maintain the system website and recommend development

controls to participating system schools.

Computer files received from unknown senders should be deleted without being opened to avoid malicious

software. Always verify the source of files received before attempting to open on school-owned

computers.

Telephone Conference Calls



Staff must become aware of the Information Security issues involved in telephone conference calls. Using

the telephone to provide discussions among three or more persons poses a threat similar to those posed by

conventional person-to-person calls. The identity of the other persons involved in a conference call must

be authenticated in order to avoid a breach in confidentiality.

Videoconferencing

Staff must be aware of the Information Security issues involved in videoconference calls. An overheard

meeting can result in leaked information and, where such information is sensitive, can be very damaging.

The identity of other persons involved in a videoconference call must be authenticated in order to avoid a

breach in confidentiality.

Recording of Telephone Conversations

All parties should be notified in advance if telephone conversations are to be recorded. Failure to observe

legislation regarding recording of telephone calls will cause the Franklin County Schools to be liable for

prosecution.

Misdirected Fax Information

Any fax received in error must be returned to the sender. Its contents must not be disclosed to other parties

without the sender’s permission. Information received in a misdirected fax from internal or external

sources must be treated as highly confidential and should not be divulged to others. Be on your guard to

possible "probing." Faxes which "look official" can lead to the disclosure of confidential information.

Responding to unsolicited faxes may encourage more faxes from the same source.

Ordering Items Over the Telephone

Staff authorized to make payment for goods ordered over the telephone by credit card are responsible for

the safe and appropriate use of the information. Staff must know exactly to whom they are talking and

whether they are authorized to handle the information.

The identity of recipients of sensitive or confidential information over the telephone must be verified. It is

not uncommon for instructions or information to be given over the telephone, but this raises the issue of

verifying the identity of the caller. Be aware of social engineering, where the aim is to trick people into

revealing passwords or other information that compromises a target system's security.

The identity of persons requesting confidential or sensitive personal information over the telephone must be

verified, and they must be authorized to receive it. Callers may claim to be someone who is entitled to

access confidential material. Be aware of social engineering.

Data Management

Sensitive or confidential Data/Information may only be transferred across networks or copied to other

media when the confidentiality and integrity of the data can be reasonably assured, such as by using

encryption techniques. Incorrect data released to outside parties can lead to a loss of confidence in the

organization and/or its services.

Any illegal tampering or amendment of school data while in transit suggests a weakness that is being

exploited by hackers. Where security measures have not been adequately employed, sensitive information

may be accessed by unauthorized persons and confidential data may be distributed to

inappropriate/unauthorized persons.



The recipient of your data may have adopted information security standards that are incompatible with this

institution. This constitutes a weak link in your security which could be exploited. The inappropriate

and/or illegal release of information may result in legal action and prosecution.

The storage of information and data is a daily function for all departments that requires careful

management to ensure that information security issues are dealt with adequately. Day-to-day storage must

ensure that current data is readily available to authorized users and that archives are both created and

accessible in case of need.

Data and information files must be saved and stored securely in order to avoid disruptions in departmental

activity. Take care not to delete important information, on purpose or inadvertently, so that information is

available.

Backing Up Data

Data stored on computers within the FCBOE network must be secured from loss or inappropriate use by

regular copying and secure storage to prevent accidental or intentional loss or damage. This process

generally falls into two categories: Back up of data on individual desktop computers and back up of data

on network servers.

Individuals are advised to back up their important data on desktop computers by copying all files to a

disk, flash drive, or other portable device at least once per week. This storage device should be kept at a

location other than the office or building of the individual. Further, all unnecessary or extraneous data

stored on individual computers must be deleted at regular intervals in order to ensure maximum storage

capacity for important school or student information. Information on portable devices should be

encrypted and physical control of the devices maintained by the user.

The security of data stored on network servers cannot be over-emphasized. The protection and recovery

of this information in case of equipment failure or unavoidable accidents or catastrophic events is vital to

the continued operation of the Franklin County Schools; therefore, individuals tasked with back up of

server data must adhere to the plan published in this policy.

Server back up must be performed on a regular interval. Back ups conducted on Monday through

Thursday of each week should be Snapshot back ups, or backing up of all new data created each day. On

every 10th

business day, a Full back up will be performed (complete back up of all old and new data

files). This method will ensure the best chance for adequate recovery of data in the event of loss.

Security of Personal Information

Social Security Numbers, names, and addresses (both electronic and USPS), and other bits of personal

information must not be accessible to unauthorized persons. This type of information must be

safeguarded from unauthorized persons in offices, on the web, around copiers and fax machines. Use

shredders to destroy paper records containing this information when no longer needed.



CHAPTER 4 SOFTWARE ACQUISITION AND ACCEPTANCE TESTING

This section outlines the requirements for the acquisition and acceptance testing of software. This

document includes planning for and conducting evaluations of: (i) the software and, (ii) all necessary

documentation and related activities. Planning for and conducting the follow-up activities necessary to

assure timely and effective resolution of problems will also be outlined.

Scope This applies to all software and support systems acquired by Franklin County Schools, as well as any

software and support systems acquired, or developed by, an external corporate entity that subsequently

contracts with Franklin County Schools.

Responsibility for Compliance The School Supervisors, in conjunction with the Chief Technology Officer, are to ensure compliance with

this software acquisition and acceptance testing procedure, and will be provided with all resources,

responsibility, authority, and organizational freedom to permit objective evaluations. They will also be

empowered to initiate and verify corrective measures that are deemed essential.

Identifying Software to Acquire Employees may send informal recommendations to School Supervisors if they identify software that fulfills

a departmental or school need. The School Supervisor is free to decline requests for the suggested software

for implementation if:

1. The software does not conform to the specifications listed herein.

2. A substantial number of software products have been suggested.

3. The software does not fulfill the needs of the department or the organization.

Conducting Software Evaluations Software shall be evaluated by Supervisors and Tech Support personnel in compliance with the FCBOE

polices and needs.

Conducting Documentation Evaluations The following set of documentation should be evaluated before any software is acquired.

The software development plan (if acquiring custom developed software).

The Supervisors and Tech Support personnel will evaluate the software development plan

to be used for the project. The software developer must assure that:

o No other software plans exist for the project that have not been documented.

o The software development plans presented and evaluated comply with all

stated policies and requirements.

o The software will function properly without infrastructure changes to the

FCBOE network.



Other software documentation (operating, user manuals and other documentation).

The Supervisors and Tech Support personnel will evaluate all other software

documentation not identified in the preceding paragraph and ensure that:

o Each document adheres to the agreed format.

o Each document pertains to its stated software component.

Software Evaluation Letter Software Evaluation Letters for each software acquisition evaluation must contain, at a minimum, the

following items:

Evaluation date.

List of participants.

Evaluation criteria used (e.g. performance, scalability, security, etc.)

Evaluation results, including problems detected, as well as references to the software problem, as

applicable.

Recommended corrective action.

Documenting Corrective Actions All problems identified during acquisition evaluation and acceptance testing must be documented. These

problems are those that trigger non-conformance with any specified requirements. This documentation is to

serve as a basis for the software developer to take corrective actions.

Ensuring Corrective Actions are Completed When deviances from the specified requirements are found, either during software acquisition or software

acceptance testing, the developer must do the following upon receiving the corrective actions report:

Take action to correct the defect, as well as the cause of the defect.

Perform regression testing to ensure that no new defects are injected into the software.

Ensure timely and positive corrective action is taken through proper management of the corrective

process by doing the following:

o Any additional problems detected in processes and in software that are under internal

or their control are promptly reported and added to the corrective actions report.

o Each error is adequately classified and reported.

o Corrective actions are evaluated to: verify that problems have been resolved; all

changes have been implemented on the appropriate processes and products; and

determine whether additional problems have been introduced.

Software Acceptance Checklist The software acceptance checklist should contain, at a minimum, the following information:



The contact information for the employee(s)/officer/position listed in the Responsibility

for Policy Compliance section.

The developer’s or software manufacturer’s contact information.

The software support information.

Product information including:

o Product number.

o Type of software (e.g. Web-based, PC).

Type of user documentation included with the software e.g. user guide, online manual, an

electronic help guide, etc.

System requirements, including:

o Minimum/recommended RAM.

o Hard drive space.

o Additional software required e.g. software libraries, databases, etc.

o Software keys and licenses.

Beta testing results using the Software Evaluation Form.

Suggested Actions Prior to Software Approval Submission

Prior to submitting new software for approval, interested teachers or other persons in contact with software

vendors/textbook companies should consider the below questions: SEE NEXT PAGE



TOP TEN QUESTIONS TO ASK YOUR SOFTWARE VENDOR

1. What are the Computer User specs? i.e., What operating system is/are required? How

much memory is required? How much hard drive space is required? Any other

requirements?

2. What are the server specs (for Enterprise/Network applications)? i.e., Operating system

(2002, 2008?) Memory required? Hard drive space? Any other requirements?

3. What versions are available?

a. Internet?

b. CD on client?

c. Enterprise (network)?

4. Is the disk required to be loaded each time software is used?

5. Or, does software run from hard drive? Or both 4 & 5?

6. Is Tech Support available? Is there an 800 number? 24/7? For how long following

purchase?

7. Is there a software warranty? What are the recurring costs from year-to-year?

8. Will it work in a wireless environment?

9. How many components or disks does it take to load?

10. What other schools are using this software and who can we talk to there?



CHAPTER 5 PHYSICAL SECURITY OF NETWORK DEVICES

Servers, routers, switches, and hubs are located throughout various buildings in the school district. Doors

to these facilities must be secured and adequate ventilation must be available to prevent overheating of

components. Under no circumstances should students be allowed access to servers, routers, switches, or

hubs. In addition, data closets should not be used as storage areas for other departments or for

maintenance services.

Classroom and Lab computers must be secured when not in use. A “Log Off” policy is in effect

throughout the Franklin County Schools district. Whenever teachers or supervisors leave a computer

classroom, office, or lab unoccupied, users must be logged off the computers in order to prevent

unauthorized use by students or staff. It is also preferable to lock the room to further ensure limited

access to the computers not in use and prevent unsupervised usage.



CHAPTER 6 WIRELESS SECURITY

The IT Department must be aware of all wireless locations and use of wireless capabilities in fixed labs

and other locations system-wide. Requests for the installation of wireless routers, hubs, or access points at

schools must be made in advance to the IT Department.

Security concerns are part of the potential drawbacks to wireless technology. Although a number of

security measures were built into the 802.xx standards, it is almost universally accepted that wireless

networks are considerably less secure and slower than wired ones.

A number of vulnerabilities can allow hackers to gain access to a school's wireless network. While the

goal of such "whacking" is most often to gain free Internet access, the same security holes can potentially

be used to access confidential student information, alter records, or inflict malicious damage of other

sorts on school LANs. Wireless access points generally have a range of 200 feet more or less, which

includes areas outside the building within that range.

Wireless Service Set Identifications (SSIDs) have been established within the FCBOE Wireless VLAN

for access to the wireless network for various services. Whether Public or Private, Teacher or Guest,

users must adhere to the wireless security features built-in to the SSIDs. All of the wireless devices on a

WLAN must employ the same SSID in order to communicate with each other. Authentication using

username and password or a special passcode is required for access to FCBOE SSIDs.

It is important to understand that increased security generally involves tradeoffs - in terms of cost, speed

and resource time needed to make upgrades, change passwords and generally manage the security

systems so that they work efficiently.

It is strongly recommended that wireless encryption be used on all access points.



CHAPTER 7 REMOTE ACCESS AND AGREEMENT

Purpose

The purpose of this section is to define standards, procedures, and restrictions for connecting to FCBOE’s

internal network(s) from external hosts via remote access technology, and/or for utilizing the Internet for

business purposes via third-party wireless Internet service providers (a.k.a. “hotspots”). FCBOE’s resources

(i.e. student data, computer systems, networks, databases, etc.) must be protected from unauthorized use

and/or malicious attack that could result in loss of information, damage to critical applications, loss of

revenue, and damage to our public image. Therefore, all remote access and mobile privileges for FCBOE

employees to enterprise resources – and for wireless Internet access via hotspots – must employ only

board-approved methods.

Scope This chapter applies to all FCBOE employees, including full-time staff, part-time staff, contractors,

freelancers, and other agents who utilize school- or personally-owned computers to remotely access the

organization’s data and networks. Employment at FCBOE does not automatically guarantee the granting of

remote access privileges.

Any and all work performed for Franklin County Schools on said computers by any and all employees,

through a remote access connection of any kind, is covered by this procedure. Work can include (but is not

limited to) e-mail correspondence, Web browsing, utilizing intranet resources, and any other company

application used over the Internet. Remote access is defined as any connection to FCBOE’s network and/or

other applications from off-site locations, such as the employee’s home, a hotel room, airports, cafés,

satellite office, wireless devices, etc.

Supported Technology

All remote access will be centrally managed by FCBOE’s IT department through the ISP and will utilize

encryption and strong authentication measures. Remote access connections covered by this section include

(but are not limited to) Internet dial-up modems, frame relay, ISDN, DSL, VPN, SSH, cable modems,

proprietary remote access/control software, etc. The following table outlines FCBOE’s minimum system

requirements for a computer, workstation, or related device to comply with FCBOE’s systems. Those who

do not meet these requirements must upgrade their machines, or face being denied remote access privileges.



PC and PC-Compliant Computers

Portables/Laptops iPads, Smartphones

Operating System

Windows XP Pro

Standard Edition or

Higher

Windows XP Pro

Standard Edition or

Higher

iOS 5 or higher: 3G

capable

CPU Intel Core 2 Pentium M 200Mhz Intel

RAM 1 GB 1 GB 512 GB

Disk Space

80GB 80GB N/A

Additional Drives

48X32 CDRW/DVD

Best Video and Sound

Cards available

24XCDRW/DVD

Best Video & Sound

Cards available

N/A

Eligible Users All persons/companies requiring the use of remote access for business purposes must go through an

application process that clearly outlines why the access is required and what level of service is needed

should his/her application be accepted. Applications must be approved and signed by the manager,

supervisor, or department head before submission to the IT department. Privately owned connections

(under ‘Supported Technology’) may not be used for business purposes. In all cases, the IT department

must approve the connection as being secure and protected. However, the IT department cannot and will

not technically support a third-party ISP connection or hotspot wireless ISP connection. All expense for

reimbursement of cost (if any) incurred due to remote access for business purposes (i.e. Internet

connectivity charges) must be submitted to the appropriate unit or department head. Financial

reimbursement for remote access is not the responsibility of the IT department.

Appropriate Use It is the responsibility of any entity with remote access privileges to ensure that their remote access

connection remains as secure as his or her network access within the office. It is imperative that any remote

access connection used to conduct FCBOE business be utilized appropriately, responsibly, and ethically.

Therefore, the following rules must be observed:

Vendors will use secure remote access procedures. This will be enforced through public/private

key encrypted strong passwords in accordance with FCBOE’s password policy. They must agree

to never disclose their passwords to anyone, particularly to family members if business work is

conducted from home.

All remote computer equipment and devices used for business interests, whether personal- or

company-owned, must display reasonable physical security measures. Computers will have

installed whatever antivirus software deemed necessary by FCBOE’s IT department.

Remote users using public hotspots for wireless Internet access must employ for their devices a

FCBOE-approved personal firewall, VPN, and any other security measure deemed necessary by



the IT department. VPNs supplied by the wireless service provider should also be used, but only in

conjunction with FCBOE’s additional security measures.

Hotspot and remote users must disconnect wireless cards when not in use in order to mitigate

attacks by hackers, wardrivers, and eavesdroppers.

Users must apply new passwords every business/personal trip where company data is being

utilized over a hotspot wireless service, or when a company device is used for personal Web

browsing.

Any remote connection (i.e. hotspot, ISDN, frame relay, etc.) that is configured to access any

FCBOE resources must adhere to the authentication requirements of FCBOE’s IT department. In

addition, all hardware security configurations (personal or company-owned) must be approved by

FCBOE’s IT department.

Contractors and temporary staff will make no modifications of any kind to the remote access

connection without the express approval of FCBOE’s IT department. This includes, but is not

limited to, split tunneling, dual homing, non-standard hardware or security configurations, etc.

Contractors and temporary staff with remote access privileges must ensure that their computers are

not connected to any other network while connected to FCBOE’s network via remote access, with

the obvious exception of Internet connectivity.

In order to avoid confusing official school business with personal communications, employees,

contractors, and temporary staff with remote access privileges must never use non-school system

e-mail accounts (eg. Hotmail, Yahoo, etc.) to conduct FCBOE business.

No employee is to use Internet access through school networks via remote connection for the

purpose of illegal transactions, harassment, competitor interests, or obscene behavior, in

accordance with other existing FCBOE policies.

All remote access connections must include a “time-out” system. In accordance with FCBOE’s

security policies, remote access sessions will time out after 10 minutes of inactivity, and will

terminate after two hours of continuous connection. Both time-outs will require the user to

reconnect and re-authenticate in order to re-enter company networks. Should a remote user’s

account be inactive for a period of seven days, access account privileges will be suspended until

the IT department is notified.

If a personally- or school-owned computer or related equipment used for remote access is

damaged, lost, or stolen, the authorized user will be responsible for notifying their manager and

FCBOE’s IT department immediately.

The remote access user also agrees to immediately report to their manager and FCBOE’s IT

department any incident or suspected incidents of unauthorized access and/or disclosure of school

resources, databases, networks, etc.

The remote access user also agrees to and accepts that his or her access and/or connection to

FCBOE’s networks may be monitored to record dates, times, duration of access, etc., in order to

identify unusual usage patterns or other suspicious activity. As with in-house computers, this is

done in order to identify accounts/computers that may have been compromised by external parties.

Franklin County Schools will not reimburse employees for school-related remote access

connections made on a pre-approved privately owned ISP service.



Non-Compliance Failure to comply with the Remote Access Agreement may result in the suspension of remote access

privileges, disciplinary action, and possibly termination of employment.

Employee Declaration

I, [employee name], have read and understand the above Remote Access Agreement, and

consent to adhere to the rules outlined therein.

______________________________________

__________________________________

Employee Signature Date

______________________________________

__________________________________

Manager Signature Date

______________________________________

__________________________________

IT Administrator Signature Date

_____________________________________________________



CHAPTER EIGHT PRINTERS

Purpose Printers represent one of the highest equipment expenditures at Franklin County Board of Education. The

goal of this chapter is to facilitate the appropriate and responsible use of Franklin County Schools’ printer

assets, as well as control FCBOE’s printer cost of ownership by preventing the waste of paper, toner, ink,

and so on.

Scope This chapter applies to all employees of Franklin County Schools, as well as any contract employees in the

service of Franklin County Schools who may be using FCBOE networks and equipment.

Supported Printers FCBOE supports the printers named in the Standard Equipment List, which is updated yearly. An effort

has been made to standardize on specific printer models in order to optimize contractual agreements and

minimize support costs. The list indicates the model, resolution, location, and capabilities (e.g. color

printing, double-sided printing, large print jobs, special paper types) of all FCBOE printers.

General

Printers are to be used for documents that are relevant to the day-to-day conduct

of business at all schools and the central office. FCBOE printers should not be

used to print personal documents.

Installation of personal printers is generally not condoned at FCBOE schools due

to the cost of maintaining and supporting many dispersed machines.

Do not print multiple copies of the same document – the printer is not a copier

and typically costs more per page to use. If you need multiple copies, print one

good copy on the printer and use the photocopier to make additional copies.

If you print something, please pick it up in a timely fashion. If you no longer want

it, please dispose of it appropriately (i.e. recycle).

If you come across an unclaimed print job, please stack it neatly next to the

printer. All unclaimed output jobs will be discarded after one week.

Make efforts to limit paper usage by taking advantage of duplex printing (i.e.

double-sided printing) features offered by some printers and other optimization

features (e.g. printing six PowerPoint slides per page versus only one per page).

Make efforts to limit toner use by selecting light toner and lower dpi default print

settings.

Avoid printing large files, as this puts a drain on network resources and interferes

with the ability of others to use the printer. Please report any planned print jobs in

excess of ten pages to the IT department so that the most appropriate printer can

be selected and other users can be notified.

If printing a job in excess of 25 pages, please be at the printer to collect it when it

comes out to ensure adequate paper supply for the job and that the output tray is



not overfull (i.e. you may need to remove some of the output before the print job

is finished).

Avoid printing e-mail messages. Instead, use the folders and archiving

functionality in your e-mail application to organize and view your messages.

Avoiding printing a document just to see what it looks like. This is wasteful.

Avoid re-using paper in laser printers, as this can lead to paper jams and other

problems with the machine.

Many printers do not support certain paper types, including vellum,

transparencies, adhesive labels, tracing paper, card stock, or thicker paper. If you

need to use any of the paper types, consult with IT to find out which machines can

handle these specialty print jobs.

Color printing is typically not required by general office users. Given this

selective need, as well as the high cost per page to print color copies, the number

of color-capable printers available has been minimized. You are strongly

encouraged to avoid printing in color when monochrome (black) will do.

Printer paper is available at each school. Toner cartridges are available at each

department.

If you encounter a physical problem with the printer (paper jam, out of toner, etc.)

and are not “trained” in how to fix the problem, please do not try. Instead, report

the problem to the vendor or ask a trained co-worker for help.

Report any malfunction of any printing device to Tech Support as soon as

possible.



CHAPTER NINE MOBILE DEVICE MANAGEMENT

SMARTPHONES

All requests to purchase or use Smartphones for educational purposes must be reviewed by the IT

Department to ensure that the equipment is compatible with the existing IT environment.

The IT Department will assist employees with the set up of school-owned Smartphones, including

business-use software installation. Employees are solely responsible for the maintenance and general

upkeep of their assigned Smartphone.

I, [supervisor’s name], am the supervisor for [employee’s name]. I approve the use of

his/her Mobile Device to conduct and access information for the following purposes:

1.

2.

3.

[Employee’s name] assumes liability for corporate and personal information stolen,

lost or misused. Employees will be required to sign a waiver before accessing

corporate information on their Mobile Devices.

________________________________ ____________

Employee’s Signature Date

________________________________

Employee’s Name (Printed)

________________________________

Supervisor’s Signature

Please provide this form to the technician at the time of the issue.

_____________________________________________________



CHAPTER TEN PASSWORDS

Purpose Passwords are a critical part of information and network security. Passwords serve to protect user accounts,

but a poorly chosen password, if compromised, could put the entire network at risk. As a result, all

employees of Franklin County Schools are required to take appropriate steps to ensure that they create

strong, secure passwords and keep them safeguarded at all times. The purpose of this chapter is to set a

standard for creating, protecting, and changing passwords such that they are strong, secure, and protected.

Scope This chapter applies to all employees of Franklin County Schools who have or are responsible for a

computer account, or any form of access that supports or requires a password, on any system that resides at

any Franklin County Schools facility, has access to the FCBOE network, or stores any non-public FCBOE

information.

Expiration Passwords must be changed every semester, or 180 days.

Old passwords cannot be re-used for a period of 12 months.

All passwords must conform to the guidelines outlined below.

Password Construction Guidelines Passwords are used to access any number of school systems, including the network, e-mail, the Web, and

voicemail. Poor, weak passwords are easily cracked, and put the entire system at risk. Therefore, strong

passwords are required. Try to create a password that is also easy to remember.

1. Passwords should not be based on well-known or easily accessible personal information.

2. Passwords must contain at least seven characters.

3. All passwords must start with a letter.

4. Passwords must contain at least six lowercase letters (e.g. t).

5. Passwords must contain at least one numerical characters (e.g. 5).

6. Passwords should not contain special characters (e.g. $).

7. A new password must contain at least five characters that are different than those found in the old

password which it is replacing.

8. Passwords must not be based on a users’ personal information or that of his or her friends, family

members, or pets. Personal information includes logon I.D., name, birthday, address, phone

number, social security number, or any permutations thereof.



9. Passwords must not be words that can be found in a standard dictionary (English or foreign) or are

publicly known slang or jargon.

10. Passwords must not be based on publicly known fictional characters from books, films, and so on.

11. Passwords must not be based on the school system’s name or geographic location.

Password Protection Guidelines 1. Passwords should be treated as confidential information. No employee is to give, tell, or hint at

their password to another person, including IT staff, administrators, superiors, other co-workers,

friends, and family members, under any circumstances.

2. If someone demands your password, refer them to this policy or have them contact the IT

Department.

3. Passwords are not to be transmitted electronically over the unprotected Internet, such as via e-

mail. However, passwords may be used to gain remote access to company resources via the

company’s IPsec-secured Virtual Private Network or SSL-protected Web site.

4. No employee is to keep an unsecured written record of his or her passwords, either on paper or in

an electronic file. If it proves necessarily to keep a record of a password, then it must be kept in a

controlled access safe if in hardcopy form or in an encrypted file if in electronic form.

5. Do not use the “Remember Password” feature of applications.

6. Passwords used to gain access to school systems should not be used as passwords to access non-

school accounts or information.

7. If possible, don’t use the same password to access multiple school systems.

8. If an employee either knows or suspects that his/her password has been compromised, it must be

reported to the IT Department and the password changed immediately.

9. The IT Department may attempt to crack or guess users’ passwords as part of its ongoing security

vulnerability auditing process. If a password is cracked or guessed during one of these audits, the

user will be required to change his or her password immediately.

Enforcement Any employee or student who is found to have violated FCBOE policy may be subject to disciplinary

action, up to and including suspension.

_____________________________________________________



CHAPTER ELEVEN NETWORK SECURITY FOR PORTABLE COMPUTERS

Introduction Portable computers offer staff the ability to be more productive while on the move. They offer greater

flexibility in where and when staff can work and access information, including information on our

corporate network. However, network-enabled portable computers also pose the risk of data theft and

unauthorized access to our corporate network. Any device that can access the corporate network must be

considered part of that network and therefore subject to policies intended to protect the network from harm.

Any portable computer that is proposed for network connection must be approved and certified by the IT

department.

Protecting the Laptop In order to qualify for access to the FCBOE network, the laptop must meet the following conditions:

Network settings must be reviewed and approved by IT support personnel.

Anti-virus software must be installed. Software must have active scanning and be kept up-to-date.

Recommended anti-virus software is Norton Antivirus .

Laptop User’s Responsibilities 1. The user of the laptop is responsible for physical security of the laptop whether they are

onsite, at home, or on the road.

2. The user of the laptop is responsible for keeping their anti-virus scanning software up-to-date

at all times. It is strongly recommended that they update their anti-virus software before going

on the road.

Security Audits The IT department reserves the right to audit any laptop used for school business to ensure that it continues

to conform to this certification policy. The IT department will also deny network access to any laptop

which has not been properly configured and certified.



CHAPTER TWELVE HUMAN RESOURCES CONSIDERATIONS

Compliance All employees must comply with the Information Security procedures of the Franklin County Schools.

Any Information Security incidents resulting from non-compliance will result in immediate disciplinary

action. All staff will have previous employment and other references checked prior to employment, in

addition to a background check.

Job Descriptions Where job descriptions and duties make no reference to Information Security other than for technical staff,

employees may be under the mistaken impression that they are not responsible for Information Security.

All employees should abide by these procedures and Franklin County Schools must protect itself against

hiring individuals ill suited for the position. Most if not all employees are given access to Franklin County

Schools information systems and the security risks should be addressed with all employees.

Third Party Inclusion This risk also exists with contracted, third party individuals, especially those hired to work with software

and/or hardware within the system. All external suppliers of contracted services to the Franklin County

Schools must agree to follow the procedures stated herein . An appropriate summary of our Information

Security Procedures must be delivered to any such supplier prior to engaging in contracted services.

Security of Keys The lending of keys whether physical or electronic is prohibited. This requirement should be noted in

employment contracts. Keys should be issued to authorized staff only.

Intellectual Property Rights All Intellectual Property Rights over work done by employees of Franklin County Schools as part of their

normal duties is to be owned by the Franklin County Schools. If the school system wishes to own the

Intellectual Property Rights over work done by third parties or contractors, it must ensure that the

agreement or contract with the third party or contractor covers this issue.

Protecting Confidentiality All employees of Franklin County Schools must protect the confidentiality of information, both during and

after employment with Franklin County Schools. All employee data is to be treated as strictly confidential

and made available only to authorized persons or agencies. The disclosure of this type of information is

covered by data privacy legislation.

Access to System-owned Information Notwithstanding the Franklin County Schools’ respect for employee privacy in the workplace, it reserves

the right to have access to all information created and stored in the school system’s network, to include

work done by students. In cases in which the monitoring of employee activity is perceived as intrusive

and/or excessive and in contravention of Human Rights Laws, legal proceedings may result in fines and

other penalties for Franklin County Schools.

References Only authorized personnel may give employee references. The preparing of references is a specialized

process and should only be undertaken by properly trained and authorized persons. When giving



references, Franklin County Schools system personnel must ensure that they are aware of who is requesting

the information and why. Passing inaccurate or inappropriate personal reference details to third parties

may result in liability claims.

Staff Disaffection Management of the Franklin County Schools must respond quickly yet discreetly to indications of staff or

student disaffection, communicating as necessary with Human Resources management and the Chief

Technology Officer. Disaffected staff can present a significant risk as they are still deemed trusted

employees, but their potential to inflict damage is high. All staff will usually become aware of what

information assets are of value to the organization and, although they may not have direct access to

information themselves, they may be able to obtain access through personal relationships. Staff whose

personal circumstances have changed significantly or who have a grievance may begin to act differently.

Their change in behavior could alert to the possibility of a breach or attempted breach of Information

Security.

Staff Leaving Employment Upon notification of staff resignations, Human Resources management must consider with the Chief

Technology Officer whether the staff member’s continued access rights constitute an unacceptable risk to

Franklin County Schools and, if so, revoke all access rights. Departing staff must be treated sensitively,

particularly with regard to the termination of their access privileges. System and access rights of departed

personnel must be terminated immediately.



CHAPTER THIRTEEN STAFF AWARENESS AND TRAINING

Permanent staff is to be provided with Information Security awareness tools to enhance awareness and

educate them regarding the range of threats and the appropriate safeguards. Temporary staff must receive

an appropriate summary of Information Security policies prior to beginning work with the Franklin County

Schools. Franklin County Schools’ leadership must lead by example ensuring that Information Security is

given a high priority in all activities and initiatives.

Providing Updates to Staff Franklin County Schools is committed to providing regular and relevant Information Security awareness

communication to all staff by various means, including electronic updates, briefings, and newsletters, etc.

Feedback will be sought by the IT Department on the effectiveness of the system’s policies.

Security Training for New Systems Franklin County Schools is committed to providing training to all users of new systems to ensure that their

use is both efficient and does not compromise Information Security. New systems should be able to be

implemented without concerns to Information Security , downgrading of the current security framework, or

other security breaches.

Information Security Training for IT Staff Periodic training for all IT Department staff will be prioritized to educate and train in the latest threats and

Information Security techniques. Individual training in Information Security is mandatory, with any

technical training being appropriate to the responsibilities of the user’s job functions. Where staff change

jobs, their Information Security needs must be re-assessed and any new training provided as a priority.



CHAPTER FOURTEEN PREMISES SECURITY

Site Selection Sites selected for installation of computers and/or store data must be suitably protected from physical

intrusion, theft, fire flood, and other hazards. In the context of Information Security, “premises” refers to

any area in which hardware is located; it may range from a corner in an office to an entire building. It is

important to consider the choice of premises for computer hardware carefully because it is difficult to make

changes once a location, or site, has been selected. The physical security measures adopted will depend

upon the value of the hardware, the sensitivity of the data, and the required level of service resilience.

Challenging Strangers All employees of Franklin County Schools are to be aware of the need to challenge strangers on school

property, to include computer premises. Strangers may be a new staff member or they may be someone

intent upon doing damage to the security of the schools, so employees must not be afraid to challenge

strangers.

Data Storage On-site and remote locations where data is stored must provide access control and protection which reduce

the risk of loss or damage to an acceptable level. Data stores hold removable media vital to the backup and

recovery process.

Security of Keys The lending of keys whether physical or electronic is prohibited. This requirement should be noted in

employment contracts. Keys should be issued to authorized staff only.



CHAPTER FIFTEEN DETECTING & RESPONDING TO INFORMATION SECURITY INCIDENTS

Reporting All suspected Information Security incidents must be reported to the Chief Technology Officer. An

Information Security Incident may be defined as any occurrence which in itself does not necessarily

compromise Information Security, but which could result in it being compromised. An example is a

multiple login failure on a single user account, leading to that account being locked out. Another example is

finding a computer logged onto the network with no recognizable username or evidence of multiple

attempts to access the network. Information Security breaches must be reported to the Chief Technology

Officer without delay in order to speed the identification of any damage caused, any restoration and repair,

and to facilitate the gathering of any associated information. Persons witnessing Information Security

breaches or incidents must report them as above without delay.

The Chief Technology Officer will be responsible for reporting Information Security incidents to outside

agencies when required to do so, such as third party ISP, county agencies, law enforcement, etc.

Responding The Chief Technology Officer must respond to reported incidents rapidly and under control, coordinating

with colleagues for the gathering of all relevant information or evidence and offering advice. Evidence

related to a suspected breach or incident must be formally recorded and processed.

System Weaknesses The Chief Technology Officer will be notified immediately of all identified or suspected Information

Security weaknesses.

Responsibility Information Security is everybody’s responsibility. Awareness and vigilance to possible breaches is the

best way to minimize the intended consequences of an actual Information Security breach.



CHAPTER SIXTEEN OPERATIONS CONTINUITY MANAGEMENT

Planning The Franklin County Schools system is responsible for initiating an Operations Continuity Plan for the

continuation of key operational services in the event of an unexpected occurrence which may seriously

disrupt the essential and critical business processes of the system. This may also be referred to as a

Disaster Recovery Plan. The Plan must contain a series of critical actions which will lead to the return of

normal operations. Failure to develop an OCP which is viable and tested or fails when enacted may result

in the organization’s operations not being able to recover – ever. The Plan must be approved by the

Franklin County Board of Education.

Risk Assessment It is highly recommended that a formal risk assessment be conducted in order to determine the

requirements for an Operations Continuity Plan. The Risk Assessment must analyze the nature of such

unexpected occurrences, their potential impact, and the likelihood of these occurrences becoming serious

incidents. Sufficient financial and human resources must be allocated if the resultant plan is to succeed.

Testing the OCP/DRP The Operations Continuity Plan must be periodically tested to ensure that the management and staff

understand how it is to be executed. Where the OCP testing does not reproduce authentic conditions, the

value of such testing is limited. A failure to analyze the OCP Test Plan results will likely detract from the

value of the test.

Awareness If an OCP is to be executed successfully, all personnel must not only be aware that the plan exists, but also

know its contents and the duties and responsibilities of each party. All staff must be made aware of the

OCP and of their own respective roles.

Maintaining and Updating the OCP/DRP The OCP must be kept up to date and re-tested periodically. It is suggested that the OCP be tested at least

annually, with the results used to update the plan.



CHAPTER SEVENTEEN REQUESTS FOR TECHNICAL SUPPORT

IT Department technical support for all Information Security or IT-related equipment or software issues

may be obtained by logging into the Tech Request Web Site at https://login.bigwebapps.com. Use the

email address that was assigned as the username and fcboe as the initial password. The password may be

changed after initial entry. Again, it is important to note that the Tech Request Web Site may be accessed

from anywhere the person has access to the world wide web.

Once Login is established, select FCBOE IT Support from the menu to submit a work request, or ticket. If

you have a work request for the FCBOE Maintenance Department, the selection would be FCBOE

Maintenance.

Prior to creating a new ticket, please read the Troubleshooting Tips located on the right hand side of the

page to see if any of these steps can solve the problem or issue you are experiencing. If you are not able to

resolve an issue with the Troubleshooting Tips, proceed to Create a New Ticket with yourself as the user.

The Internal Location* must be entered, and the program will default to your assigned school or other

location. If this is incorrect, use the drop down arrow to select the correct location.

The Class* of ticket must be entered and you can use the drop down arrow to select the appropriate Class.

The Technician will automatically be assigned the ticket based on your location. ID Method assists the IT

Department with the exact location of the piece of equipment or software being addressed in the ticket, so

please specify exactly where the item is located. The exact Room Number* where the problem is located

must be entered. Every school has a list of Room Numbers, and this is needed in order to further identify

the location.

If a computer problem the Computer Name can be entered so that the technician can use Remote Desktop

procedures to solve the issue quicker. The Computer Name may be found by right-clicking My Computer,

left clicking Properties, and selecting the Computer Name tab. Please enter the complete Computer Name

exactly as listed under the Name Tab. Somewhere on the device is an FCBOE Asset Tag, a small white tag

with “Property of Franklin County School System” on the top over a bar code, and then a six-digit number

beneath the bar code. This tag number must be reported prior to the technician’s acceptance of the work

order because FCBOE Technicians are prohibited from working on items that do not belong to the FCBOE.

If the ticket is a telephone service issue, please type in the telephone number of the phone, and then indicate

the best time for a technician to come to your location to resolve your issue. The ticket must be given a

Subject Heading, such as Cannot Access Network on Office Computer. Below the subject heading, in the

Text box, please type as much specific information as possible about the problem or issue in order to fully

explain what you are experiencing. This will speed up resolution of the problem. Once completed, click

on Save & Close beneath the text in order to submit your ticket to the appropriate computer technician. A

message will be generated to the technician and to you containing the information you entered.

https://login.bigwebapps.com/