Ark. Code Ann. ยง6-11-128 COM RT-09-010
IT Security Officer ď‚— Job Description ď‚— Annual
Performance evaluation identifies security responsibilities (1B1)
Security Simplified Data Sensitivity Student personally
identifiable information Employee personally identifiable information FERPA (Family Educational Rights and Privacy Act) (1B2)
FOIA FERPA Parents have right to inspect
and review student’s records Parents have right to ask for corrections to records Schools are not required to provide copies May charge for copies
FERPA con’t
Can disclose without consent:
School officials Other schools Officials for audits/evaluations Financial aid Organizations conducting studies on behalf of the school Accrediting organizations Comply with judicial order Health & safety reasons Juvenile justice system Directory information Student’s name, address, phone
number, date and place of birth, honors and awards, and dates of attendance Parents must be notified
FOIA
Ark. Code Ann. 6-11-129 Medical records Adoption records Personnel records (invasion of
privacy) Home addresses Licensure exam information Employee evaluations unless these records form the basis for termination of the employee Make information available in 24 hours Citizens may request a copy in any medium/format
Training ď‚— All employees
having access to sensitive information need to undergo annual IT security training (1B3)
Workstation Security Workstations must not be
left unattended when logged into sensitive systems Automatic log off and password screen savers must be deployed All equipment that contains sensitive information will be secured to deter theft Sensitive data will be encrypted if retained on laptop and/or remote devices (2B1)
Password Protected ********
Computer Room Security ď‚— Server rooms should be
restricted from general access ď‚— Access should be controlled (2B2)
Perimeter Security Network Configuration Network Diagram Public facing servers and
computers must be segmented from internal District network Firewall Router VLAN Etc.
(3B1)
Wireless Networks Shall require
authentication and encryption (3B2, 3) Shall not contain information relative to the District, location, mission, or name (3B2) Shall scan for and disable rogue devices at least quarterly (3B2) Warning Banners (3B4)
Access Control Strong Passwords
(4B1)
Capitol Letters Lowercase Letters Numbers Symbols
User access only to
areas needed to perform their job (4B2)
Access (Con’t) Audit and log files are
generated and maintained for at least 90 days (4B3) IT Administrator privileges kept to a minimum number of staff necessary to perform duties (4B4)
Application Development & Maintenance ď‚— Custom-built
applications that interface, integrate with, query, report to/from student or financial systems (5B)
Incident Response Plan Emergency Contacts Containment Procedures Response & Escalation
Procedures (6B)
Business Continuity Develop a Continuity
Plan (7B)
Procedures for routine
backups weekly (minumum) Backup media must be stored off-site & retained in fire safe container Secondary Location Emergency Procedures
Malicious Software Spyware & Virus
Protection Frequent Updates & Scanning Security-relevant software patches are applied within 30 days Critical patches applied ASAP (8B)
Questions?