Technology Security Policy

August 16, 2006

1. Introduction


1.1. Summary

This security policy defines acceptable & appropriate use of information systems available within the Farmington Municipal School District (computer, network, phone, voicemail, fax, etc.). All staff, students and visitors’, acceptance and compliance with this security policy is required in order for them to be authorized to access the information systems within the FMS district. The document also serves as an aid in understanding some of the basic technologies, practices and protocols in use within the FMS district.


1.2. Purpose

This security policy has been created for the purpose of protecting the information systems available within the FMS district. It protects the integrity and accuracy of the information, and availability of the information systems. It helps maintain easier manageability thus providing a higher quality of service for all users of the network. It further protects the FMS district from unnecessary legal liability. Users of the information systems will also benefit from such protection as they comply with this policy.


1.3. Table of Contents


1. INTRODUCTION

1.1 Summary

1.2 Purpose

1.3 Table of Contents

 

2.  SCOPE & DEFINITIONS

 

3. ENFORCEMENT

 

4. COMPLIANCE WITH THE POLICY

 

5. POLICY STATEMENT

5.1. Basic Security Elements

5.1.1. Identification

5.1.2. Authentication

5.1.3. Authorization

5.1.4. Passwords

5.2. Personal Use

5.2.1. Use of Information Systems

5.2.2. Privacy

5.3. Network

5.3.1. Users of the network

5.3.2. Remote Network Access

5.3.3. Third Party Access

5.3.4. Privacy of Communications

5.4. Software Policies

5.4.1. Software Copyright

5.4.2. Software Ownership

5.5. Other Policies

5.5.1. Physical Security

5.5.2. Use of Standards

5.5.3. Fax & Voicemail (Unified Communications)


6. ACCEPTABLE USE

6.1. Network & Internet Summary

6.2. Obtaining access

6.2.1. Responsibility Requirement

6.3. Content of Internet – Warning / Benefits

6.3.1. Content Filtering / Content Liability

6.3.2. Parental Responsibility

6.4. Legal Liability

6.5. Prohibited Activity

6.6. Privacy


7. SUMMARY


2. Scope & Definitions


The following terms and conventions will be used with this document:

2.1. Who: 

The security policy applies to all staff, students and visitors within the FMS district.

2.2. What: 

The security policy applies to all computers (client, server, etc.), phones (voice, fax, etc.), network equipment (routers, switches, cabling, wireless access points, etc.), printers, peripherals (scanners, digital cameras/camcorders, etc.), storage media (floppy disks, CD’s, USB/Firewire drives, etc.) and all other devices which are, or can be connected to the FMS network (AKA: Computer network, data network, communications network, etc.)

2.3. Definitions

FMS – Farmington Municipal Schools

District – All sites within the FMS District

Network – FMS technology/communications network throughout the entire district (AKA: Computer network, data network, phone/voice/fax network, etc.)


3. Enforcement


This security policy is an integral part of the overall district policies which outline appropriate behavior and use of district property. Therefore, enforcement is inline with other violations of the board policy.


4. Compliance with the Policy


4.1. It is required by all FMS staff and students to comply with the FMS Technology Security Policy.

4.2. Compliance is to be handled at both the district and school levels by administrators.

4.3. Compliance may be monitored, explained & clarified by computer techs throughout the district, as well as any other staff members who are given these assignments.

4.4. It is the responsibility of all FMS staff and students to report violations of this policy to the appropriate person(s) (Students report to teachers, principals, IT staff, school staff, etc. Staff report to the appropriate authority at the school or district level).

4.5. Exceptions may be warranted on a case-by-case basis, where appropriate. All desired exception requests should be made to the appropriate administrator, who will consult the district IT staff, before granting approval to the exception. (Exception requests should be as specific as possible, in order to expedite the approval process.)

4.6. Any exception not authorized by the appropriate administration is in violation of the security policy.

4.7. This document is not to be considered all-inclusive. It is a standard and guideline for specifics, as well as general ideologies concerning the FMS network. The district reserves the right to determine whether any activity not specifically mentioned in this document is contrary to the nature of activity intended by the district security policy.

4.8. Questions regarding compliance should be referred to the site / district technology staff for clarification.


5. Policy Statement


5.1. Basic Security Elements

5.1.1. Identification

A unique user identification code, called a user ID, is used to represent a user’s identity to the system. This user ID is used for authorization, authentication, and auditing purposes.

5.1.1.1. Users must be uniquely identified to provide individual accountability.

5.1.1.2. A unique user ID will be assigned to individuals and used for identification of that individual.


5.1.2. Authentication

Authentication is the process of identifying a unique user or device. This is done by an authentication mechanism. The most common of which is having a user type their username and password at an authentication prompt.

5.1.2.1. Users must be authenticated when accessing computer, voicemail, and other services made available through the network.


5.1.3. Authorization

5.1.3.1. Individual users and devices shall be authorized to access to needed resources, as well as denied or restricted access to unnecessary resources.

5.1.3.2. Accessing or attempting to access resources without receiving authorization from the proper authority is prohibited.


5.1.4. Passwords

All passwords used on the network should be:

5.1.4.1. Not in plain English.

5.1.4.2. Difficult to guess.

5.1.4.3. Kept secret.

5.1.4.3.1. Not written down.

5.1.4.3.2. Not shared with others.


5.2. Personal Use

5.2.1. Use of Information Systems

The users of information technology systems must utilize the systems in a legal, responsible manner.

5.2.1.1. The systems and network shall not be used to generate, access or distribute material that is illegal or immoral or contravenes the principles of the district.

5.2.1.2. Use of the network and systems for commercial purposes is prohibited.


5.2.2. Privacy

The protection of the privacy of personal information, of staff and students, is of utmost importance.

5.2.2.1. The entire system will adhere to relevant local, state and federal privacy and protections acts, including, but not limited to: HIPPA, FERPA and SIP.

5.2.2.2. The entire system and all users must adhere to privacy regulations put forth in the FMS board policy.


5.3. Network

5.3.1. Users of the network

The network is in place for the educational, professional and legal purposes of the school district. Access to the system is permitted only to the following:

5.3.1.1. Staff, who have accepted the board policy (which includes this document).

5.3.1.2. All FMS students immediately upon their enrollment in the district. Students are automatically subject to the district Board Policy, which refers to this document.

5.3.1.3. Others who have been authorized to use the network by the district IT department, or other appropriate administration. (Examples include, but are not limited to: contract or maintenance workers, guests making sales presentations, and other non-student/non-staff users.)

5.3.1.3.1. In such situations, access is only granted to the necessary systems.


5.3.2. Remote Network Access

Employees may request or require access to the systems from network locations that are outside of the district network. This remote access may be granted when adhering to the following stipulations:

5.3.2.1. Appropriate justification is given for such access.

5.3.2.2. Required security measures are in place.

5.3.2.3. These requests must not compromise the security of the systems, network or data.

5.3.2.4. They must also follow the previously established requirements of the security policy.


5.3.3. Third Party Access

Third parties may request access to computing systems for contract work or to conduct special projects such as contract or maintenance agreement fulfillment. These requests should adhere to the following guidelines:

5.3.3.1. Have the appropriate approval

5.3.3.2. Be subject to stringent security mechanisms such as specific location access, time of day limitations, or other limitations.

5.3.3.3. These requests must not compromise the security of the systems, network or data.

5.3.3.4. They must also follow the previously established requirements of the security policy.


5.3.4. Privacy of Communications

The network is the property of the district. Users should not assume that their use of the network is private. The position of the district on the privacy of voice, data, fax & other communications across the network is as follows:

5.3.4.1. Electronic communications & all other network use may be subject to review, depending on the district principles and culture and the level of concern for the protection of sensitive information.

5.3.4.2. Review of electronic communications may also be required when investigating any breaches of district policy.


5.4. Software Policies


5.4.1. Software Copyright

Copyright laws protect the right of software manufacturers to create and distribute their software. Restrictions on use are included in manufacturers’ licensing agreements, which accompany each software package. The licensing agreement will stipulate the number of machines that may have the software installed on them. Violation of copyright laws is a serious offense and can subject the district to legal action.

5.4.1.1. The entire district will strictly adhere to the licensing agreements for all software used.

5.4.1.2. If additional licenses are needed for any software program they must be legally obtained. This may include the purchase of a site license (school or district). Such acquisitions must be made through the appropriate channels within the school or district.


5.4.2. Software Ownership

Any software program has the potential to disrupt the availability of the IT network (whether the local computer, network or otherwise). Further, the district is liable for software licensing violations in the network. Knowledge, control and approval of all software programs installed on the District computer network should be maintained by the appropriate entities (Site/District IT).

5.4.2.1. All software installed in the district network must be owned by / licensed to the district, except where an explicit exception is made by the proper authority (site/district IT department).

5.4.2.2. Approval is necessary in order to ensure:

5.4.2.2.1. The compatibility and validity of software programs.

5.4.2.2.2. Appropriate software licensing.


5.5. Other Policies


5.5.1. Physical Security

A secure, protected environment is essential for efficient system operation of all components of the network.

5.5.1.1. Physical access to areas containing data processing facilities is restricted to those with a clear need for access.

5.5.1.2. Prior to any equipment being checked out or leaving its primary location, the appropriate school/district check-out/release procedure must be completed. (This includes, but is not limited to computers, digital/video cameras, projection units, etc.)

5.5.1.3. Connecting devices to the network, if not owned by the district (e.g. personal property of staff or other ownership), is prohibited, with the exception of removable storage devices used exclusively for the purposes of backing up and transferring data. This use must not violate any other section of the security policy or the board policy.


5.5.2. Use of Standards

The adoption of standards is an important principle providing direction for information technology systems. These standards aid in establishing interoperability & portability of applications & communications, in a networked environment.

5.5.2.1. Technologies adopted and implemented in the district, must operate cleanly with the existing standards in place on the network.


5.5.3. Fax & Voicemail (Unified Communications)

Normally the fax and voicemail component of the communications in a district are separate from other data and are often overlooked when considering security and integrity. Farmington Municipal Schools has implemented an integrated, unified communications system that places electronic mail, data, fax and voice on the same network.

5.5.3.1. With the integrity of the network system impacting all electronic information (mail, data, voice) it is imperative that security be implemented on a scale that incorporates all potential weak points.

5.5.3.2. All fax, voice and voicemail use must conform to this policy.


6. Acceptable Use


6.1. Network & Internet Summary

We are pleased to offer students and staff of the Farmington Municipal Schools access to the district computer network for electronic mail, the Internet and other education-related technologies. Access to the Internet will enable users to explore thousands of libraries, databases, and bulletin boards while exchanging messages with Internet users throughout the world. The network is provided for users to conduct research, communicate with others and utilize many excellent education-related technology resources.


6.2. Obtaining access

To gain access to network resources, all students and staff must agree to abide by the acceptable use defined by this document. Access is a privilege - not a right. Access

requires responsibility. If a parent or guardian does not wish for their student to have

access to the internet/network, this request must be submitted to the appropriate

school in writing.


6.2.1. Responsibility Requirement

Users are responsible for good behavior on school computer networks just as they are in a classroom or a school hallway. Communications on the network are often public in nature. General school rules for behavior and communications apply. Access to network services is given to users who agree to act in a considerate and responsible manner.


6.3. Content of Internet – Warning / Benefits

Families should be warned that some material accessible via the Internet may contain items that are illegal, defamatory, inaccurate or potentially offensive to some people. While our intent is to make Internet access available to further educational goals and objectives, users may find ways to access other materials as well. We believe that the benefits to users from access to the Internet, in the form of information resources and opportunities for collaboration, exceed any disadvantages.


6.3.1. Content Filtering / Content Liability

Within reason, freedom of speech and access to information will be honored. Individual users of the district computer networks are responsible for their behavior and communications over those networks. It is expected that users will comply with district standards and will honor the agreements they have signed. Beyond the clarification of such standards, the district is not responsible for restricting, monitoring or controlling the communications of individuals utilizing the network. In addition, Farmington Municipal Schools takes no responsibility for any information or materials that are transferred through the Internet.


6.3.2. Parental Responsibility

During school, teachers will guide students toward appropriate materials. Outside of school, families bear the same responsibility for such guidance as they exercise with information sources such as television, telephones, movies, radio and other potentially offensive media. Ultimately, parents and guardians of minors are responsible for setting and conveying the standards that their children should follow when using media and information sources. To that end, Farmington Municipal Schools support and respect each family's right to decide whether or not to receive network & Internet access.


6.4. Legal Liability

Farmington Municipal Schools will not be liable for the actions of anyone connecting to the Internet through using the FMS network. All users shall assume full liability, legal, financial, or otherwise, for their actions.


6.5. Prohibited Activity

As outlined in Board policy and procedures on student and staff rights and responsibilities and in the Student and Staff Handbooks of individual schools, users of the FMS network are prohibited from participating in certain activities which include, but are not limited to:• Sending, storing, or displaying offensive material (e.g. messages, images, videos, audio)• Using obscene language• Harassing, insulting or attacking others• Damaging computers, computer systems or computer networks• Violating copyright laws• Using others' passwords• Trespassing in others' folders, work or files• Intentionally wasting limited resources• Illegal activity• Violations of board, school & this security policy• Other activities as determined by school & district administration, as well as the school board.


6.6. Privacy

As per the Technology Security Policy section 5.3.4: Network storage areas and individual computers may be treated like school lockers. Network administrators may review files and communications to maintain system integrity and insure that users are using the system responsibly. Users should not expect that files stored on district servers or individual computers will always be private.


7. Summary

The utilization of the information technologies available today benefits the district in many ways. Administration becomes more efficient. Staff can do more and be more creative. Students have access to more information and resources to supplement the learning process. Abiding by this policy allows the district to do more with technology. As less time and resources are spent dealing with such issues, more can be invested in proactively moving forward.