Jun 11, 2012 - 4.4.1 Unacceptable Use: System and Network Activities 7 ... compromise of network systems and services, possible damage to the network, ...
LAFAYETTE DISTRICT SCHOOLS Information Technology Policies and Procedures
June 11, 2012
1
INDEX
1.0 2.0 3.0 4.0
Overview Purpose Scope Policy 4.1 General Use and Ownership 4.2 Security 4.2.1 Passwords, Accounts, and Antivirus 4.2.2 Network Security and Administrator Rights 4.2.3 Data Loss Prevention Program 4.2.4 Disaster Recovery Plan 4.2.5 Security Incident Response Plan 4.3 Employee and Student Laptop, Netbook, Tablet Policy 4.4 Unacceptable Use 4.4.1 Unacceptable Use: System and Network Activities 4.4.2 Unacceptable Use: Email and Communications 4.5 Web Pages 4.6 Purchasing 4.7 Technology Committee
3 3 3 4 4 4 4 4 5 5 6 6 6 7 8 8 8 9
5.0 Enforcement
9
6.0 Revisions
9
APPENDIX
10
2
1.0 Overview The Lafayette County IT Department is committed to protecting the Lafayette County School District's students, employees, and partners from illegal or damaging actions by individuals, either knowingly or unknowingly. Network related systems, including but not limited to computer equipment, software, operating systems, storage media, mobile devices, network accounts providing electronic mail and or resources, browsing, and FTP, are the property of Lafayette County Schools. These systems are to be used for educational and school business‐ related purposes with the intent of serving the interests of the students, teachers, and other staff members of Lafayette County Schools. Maintaining the Lafayette Schools District’s Information Technology System requires proper planning, organization, monitoring, and effective security. A team effort involving the participation and support of every Lafayette County School District employee and affiliate is required to meet and exceed the standards set forth by the US Government, State of Florida, School Board of Lafayette County, and the Lafayette County Superintendent of Schools. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly. 2.0 Purpose The purpose of this policy is to outline the acceptable use for the network‐related systems of the Lafayette County School District. These rules are in place to protect the students, staff, and the School Board of Lafayette County. Inappropriate use, improper planning, and general disregard of these procedures could expose Lafayette County Schools to risks including compromise of network systems and services, possible damage to the network, and legal issues. 3.0 Scope This policy applies to students, employees, contractors, consultants, temporaries, authorized guests, and other workers at Lafayette County Schools, including all personnel affiliated with third parties. This policy applies to all equipment that is owned, leased, or rented by Lafayette County Schools to include all future acquisitions.
3
4.0 Policy 4.1 General Use and Ownership 1. Users should be aware that the data they create on the network remains the property of Lafayette County Schools. Users should have no expectations of expressed or implied privacy. 2. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. 3. For security and network maintenance purposes, the IT Department may monitor equipment, systems, and network traffic at any time. 4. The Lafayette County School District’s IT Department reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. 4.2 Security 4.2.1 Passwords, Accounts, and Antivirus 1. Users, which includes employees, students, and guests of Lafayette County Schools, will be granted access to the network after they have signed the appropriate Network Usage Agreement form (see Appendix). Employees and students are required to renew their agreement at the start of each school year. 2. Users must keep passwords secure and not share accounts. Authorized users are responsible for the security of their passwords and accounts. 3. Employees will be required to change their passwords every 90 days (does not apply to students). 4. All computers used by students, employees, or guests that are connected to the Lafayette County School’s network, whether owned by the user or Lafayette County Schools, shall be continually executing virus‐scanning software with a current virus database. 5. Employees and students must use extreme caution when opening e‐mail attachments received from unknown senders, which may contain viruses, e‐mail bombs, or Trojan horse code. 4.2.2 Network Security and Administrator Rights 1. Administrative passwords for the network, servers, computers, wireless access points, and other electronic devices are to be kept strictly confidential and known only by the IT staff members that need them to perform their job. Distributing passwords of any kind is strictly forbidden. 2. Wireless access points will be secured with a security mechanism to be determined by the Chief Technology Officer. The wireless security code will be entered into authorized devices by the IT staff only. Any attempt to obtain and/or distribute this code is strictly forbidden. 3. Employees using Lafayette County School District devices will not be granted 4
Administrative Rights to those devices. The Chief Technology Officer will determine if there is a valid reason for deviating from this policy. 4.2.3 Data Loss Prevention Program The purpose of the Data Loss Prevention Program (Plan) is to address controls for data at rest, data in motion, and data in use. Data at Rest is any information (data) that is stored on file servers, data bases, backup drives, etc. Data in Motion is information (data) that is moving internally in the Lafayette District LAN and/or any network outside the LAN via the Internet. Data in Use is that information (data) utilized at the endpoint such as laptops, tablets, netbooks, workstations, external drives (regardless of type) and other mobile devices. The following steps will be utilized for prevention of Data Loss in connection with the Lafayette District School’s LAN. 1. Utilize content filtering and monitoring of all students and faculty/staff. 2. Archive all email communications to and from all Lafayette District School employees and students. 3. Optimize file server disk space and network bandwidth (for excessive bandwidth use). 4. Utilize a Security Agent to detect rogue or malicious software. 5. Monitor the endpoint through the use of software as well as physical observation (spot checks) to ensure non-District devices are not present and District devices are being utilized properly. In addition IT personnel must be notified a minimum of one working day prior to the termination or leave of absence of any employee. Upon notification IT personnel will secure (lock) the network access of the departing employee. These accounts will be deleted after thirty days. 4.2.4 Disaster Recovery Plan The purpose of this Disaster Recovery Plan is to ensure that a plan is in place and active for continuing critical operations of the Information Technology systems of Lafayette District Schools in the event of a major hardware or software failure. To accomplish this all data stored on servers under the control and/or ownership of Lafayette District Schools, the following procedures will be adhered to. 1. All data located in the Lafayette School system Master Distribution Facility will be backed up to a local storage server with backups implemented weekly as a minimum. 2. In addition to local storage all data will be housed in a secure off-site facility that meets NIST (National Institute of Standards and Technology) Level II standards. This site will be selected by the Chief Technology Officer and approved by the Superintendent of Schools. 3. The physical act of recovering data in an emergency will be by all available members of the Lafayette District Schools IT Department under the direction of the CTO\Network Administrator. 4. In the event District IT personnel are not available the services of the North East Educational Consortium (NEFEC) will be utilized. 5
5. All members of the IT Department will become familiar with An Introduction to Computer Security—The NIST Handbook published by the Computer Security Division of the National Institute of Standards and Technology (NIST). Procedures outlined in this publication should be followed as much as the existing environment will permit. A link to this handbook may be found at http://csrc.nist.gov/publications/nistpubs/800-12. 4.2.5 Security Incident Response Plan The Security Incident Response Plan is to ensure that events which may jeopardize the confidentiality, integrity, or availability of data and IT resources are responded to in a timely and appropriate manner by Lafayette County Schools IT personnel. To make incident analysis effective the following steps, as recommended by the National Institute of Standards and Technology, will be utilized. 1. Profile the network and related systems with emphasis on unknown devices. 2. Ensure an understanding of normal behavior on the Lafayette District network. 3. Ensure retention of all logs until the Chief Technology Officer determines a need no longer exists. 4. Perform an Event Correlation among the different log sources. 5. Utilize a Packet Sniffer to collect additional data as may be needed. 6. Should an incident occur, the Incident Handling Checklist found in the Appendix will be utilized.
4.3 Employee and Student Laptop, Netbook, Tablet Policy 1. Users must understand that laptops, netbooks, tablets, slates, or any other IT issued device are property of Lafayette County Schools and shall be returned in their original condition upon request. 2. Employees issued such a device are required to complete a Laptop Sign-Out Form (see Appendix) and assume all risk of injury or harm associated with the use of the laptop/netbook/tablet off premises, including but not limited to, physical damage or loss, or personal injury. 3. While employee laptops/netbooks/tablets are being used off campus, the Lafayette School District will exercise no control over the information accessed through the internet and cannot be held responsible for content viewed. 4. Students issued a laptop, netbook, tablet or similar device owned by The Lafayette School District must have a notarized parent/guardian signature and the signature of the student receiving the device (see Appendix for form) on file in the IT Office. The document will also be signed by issuing IT personnel. 5. Student laptops/netbooks/tablets will have remote filtering software installed so as to remain CIPA compliant. 6. Damage to a student issued laptop/netbook/tablet must have a Damage Report completed prior to turning in to the IT Department (see Appendix). 7. The Lafayette County School System and its employees will not be held liable for claims for damages that may arise from the use of issued laptops/netbooks/tablets, etc. while not on school property. 6
4.4 Unacceptable Use The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host, if that host is disrupting production services). Exemption can only be authorized by the Chief Technology Officer or Superintendent of Schools Under no circumstances is an employee, student, or guest of Lafayette County Schools authorized to engage in any activity that is illegal under local, state, federal or international law, while utilizing Lafayette County School‐owned resources, to include the network and Internet. Attempts to circumvent or defeat mechanisms put in place by the Lafayette County School District IT staff to manage the network is strictly forbidden 4.4.1 Unacceptable Use: System and Network Activities The following activities are strictly prohibited, with no exceptions: 1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by Lafayette County School District. 2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources; copyrighted music; and the installation of any copyrighted software for which Lafayette County School District or the end user does not have an active license is strictly prohibited. 3. Exporting software, technical information, encryption software or technology. 4. Introduction of malicious programs into the network or server (e.g., viruses, worms, trojan horses, e‐mail bombs, etc.). 5. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home. 6. Using a Lafayette County School District computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction. 7. Making fraudulent offers of products, items, or services originating from any Lafayette County School District account. 8. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purpose. 7
9. Port scanning or security scanning unless prior notification and approval is received from the CTO\Network Administrator beforehand. 10. Executing any form of network monitoring unless prior notification and approval is received from the CTO\Network Administrator beforehand. 11. Circumventing user authentication or security of any host, network or account. 12. Interfering with or denying service to any user other than the student/employee's host (for example, denial of service attack). 13. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal network connectivity, via any means, locally or via the network/Internet. 14. Providing information about, or lists of, Lafayette County School District’s students or employees to parties outside the Lafayette County School District without prior permission from the Superintendent of Schools.
4.4.2 Unacceptable Use: Email and Communications Activities 1. Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam). 2. Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. 3. Unauthorized use, or forging, of email header information. 4. Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies. 5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type. 6. Use of unsolicited email originating from within Lafayette County School District's networks or of other internet/network service providers on behalf of, or to advertise, any service hosted by Lafayette County Schools or connected via Lafayette County School's network. 7. Posting the same or similar non‐business‐related messages to large numbers of Usenet newsgroups (newsgroup spam). 4.5 Web Pages The CTO\Network Administrator has responsibility for oversight and training of all web pages created in or for the Lafayette District School System. Content for Lafayette Elementary and Lafayette High Schools are the responsibility of the respective principals. 4.6 Purchasing The IT department is responsible for the seamless integration of any hardware or software into the existing network system and maintaining an inventory of all such items. When considering the purchase or addition of any technology related item, prior approval from the IT Department is required. A verbal request is not acceptable. In addition, a quote for is not an approval for purchase.
8
4.7 Technology Committee The Lafayette County School District will maintain a Technology Committee comprised of the CTO\Network Administrator, other IT staff as necessary, District level Administrators, and one administrator and one faculty member from each school. The Purpose of the Technology Committee is: 1. To provide a forum to discuss issues, concerns, and/or interests of the teachers and administrators at each school with the IT Department. 2. To assist in promoting the efficient use of technology in schools, including creating standards for the management and application of technology. 3. To serve as a resource for Lafayette County Schools in helping all employees understand technology in schools and how to use it properly and efficiently. 4. Assist in planning for and evaluating classroom technology (such as model classrooms and educational software). 5. Assist in planning professional development activities related to technology. 6. Assist in other activities as deemed appropriate by the committee in collaboration with the IT Department and Superintendent of Schools. 5.0 Enforcement Failure to adhere to these policies and guidelines may result in suspension or revocation of the offender’s privilege or access to the network and/or other disciplinary or legal action. 6.0 Revisions The Lafayette County School District reserves the right to change these Policies and Procedures at any time to ensure the operability and safety of the network and its users.
9
APPENDIX Required Forms:
Employee IT Sign-Out Form
10
Incident Handling Checklist
11
Student IT Device Sign-Out Form
12
Computer/Internet Acceptable Use Policy
13
Netbook Damage Report
14
Student Computer/Internet Use Policy
15
10
LAFAYETTE DISTRICT SCHOOLS EMPLOYEE IT SIGN-OUT FORM
PROPERTY NUMBER:____________________ This form is used for audit/property accountability. Signing below acknowledges this device is the property of Lafayette District Schools and must be returned to the IT Department if employment terminates for whatever reason.
Employee Last Name: _____________________First Name: ___________________________
Home telephone number:____________________________________
Device type:________________________________________________
Serial Number:______________________________________________
Employee Signature:_________________________________________
Date Device Returned:________________________________________
IT Signature Upon Return:_____________________________________ Upon return of property indicated on this form, make a copy with all signatures and return the original to employee.
11
LAFAYETTE DISTRICT SCHOOLS INCIDENT HANDLING CHECKLIST Date: ____________________ Initial by each numbered item when complete. Detection and Analysis 1. Determine whether an incident has occurred. 1.1 Analyze the precursors and indicators. 1.2 Look for correlating information. 1.3 Perform research. 1.4 As soon as it has been determined that an incident has occurred, begin documenting the investigation and gathering evidence. 2. Prioritize handling the incident based on relevant factors (functional impact, information impact, recoverability effort, etc.) 3. Report the incident to the CTO (if not the handler) and Superintendent. Containment, Eradication, and Recovery 4. Acquire, preserve, secure, and document evidence. 5. Contain the incident. 6. Eradicate the incident. 6.1 Identify and mitigate all vulnerabilities that were exploited. 6.2 Remove malware, inappropriate materials, and other components. 6.3 If more affected hosts are discovered, repeat the Detection and Analysis steps (1.1 and 1.2) to identify all other affected hosts, then contain and eradicate (steps 5 and 6). 7. Recover from the incident. 7.1 return affected systems to an operationally ready state. 7.2 Confirm that the affected systems are functioning normally. 7.3 If necessary, implement additional monitoring to look for future related activity. Post-Incident Activity 8. Create a follow-up report. 9. Hold a lessons learned meeting (mandatory for major incidents, otherwise at the discretion of the CTO).
12
LAFAYETTE DISTRICT SCHOOLS STUDENT IT DEVICE SIGN-OUT FORM PROPERTY NUMBER:______________________ STUDENT LAST NAME: ________________________ FIRST NAME: _______________________ ADDRESS: _____________________________________________________________________ DEVICE TYPE: ___________________________________________ DEVICE SN: _____________________________________________ The student whose signature (along with notarized parent signature) appears below will have use of the above device while enrolled at Lafayette High School. By the signature below the student acknowledges he/she is responsible for notifying the District IT Department immediately if this equipment is damaged and/or lost. The student further acknowledges he/she is responsible for the security and ethical use of the above device and must pay for damages that are not deemed by the IT Department to be fair wear and tear. The above device must be returned to the Lafayette District IT Department when he/she is no longer enrolled at Lafayette High School or at the end of the school year. No device may be issued to a student without a signed LAFAYETTE DISTRICT STUDENT ACCEPTABLE USE POLICY FOR INFORMATION TECHNOLOGY RESOURCES on file with the District IT Department. This (separate) form requires parent/guardian and student signatures. __________________ _____________ ______________________ ______________ Student Signature Date Parent\Guardian Signature Date __________________ Printed Student Name
_______________________ Printed Parent Name
County of _________________ On this, the _______day of______, 20____, before me a notary public, the registered officer, personally appeared ________________________, known to me (or satisfactorily proven) to be the person whose name is subscribed to within instrument, and acknowledged that he executed the same for the purposes therein contained. In witness hereof, I hereunto set my hand and official seal. Notary Signature: ____________________ Printed Notary Name: ___________________ Notary Stamp: FOR IT DEPARTMENT: Upon receiving the above device, enter receipt number here: __________________________________
13
EMPLOYEE NAME ___________________________________ DATE _____/_____/_____
Computer/Internet Acceptable Use Policy Lafayette School District Lafayette School District views the use of computers and retrieval of information from the Internet in the same manner as information retrieval from reference materials identified by the school (i.e. library). Specifically, Lafayette School District supports those materials which will enhance the research and inquiry of the learner with directed guidance from faculty and staff. However, on a global network (the Internet) it is impractical to control all materials; users may discover inappropriate information. Teachers and other staff using the Internet should abide by the same high standards in their use of the Internet. Inappropriate Internet information and use is considered to be, but not limited to, the following: 1. The retrieving and viewing of any information that is pornographic in nature. 2. The disclosing of personal information without that person’s consent. 3. Using profanity, obscenity, or other language that may be offensive. 4. Copying commercial software in violation of copyright laws. 5. Using the Internet for financial gains or for any commercial or illegal activity. 6. “Surfing” with no educational objective in mind. 7. Downloading and playing of games and/or music that are of no direct educational value 8. Engaging in “Bullying” or solicitation of any type. 8. Any other activity that may bring embarrassment to the Lafayette District School System. Inappropriate device (computer, tablet, etc.) use is deemed to be, but not limited to the following: 1. Failure to keep personal passwords confidential, to include allowing others access under your user name and password. (This includes Teacher’s assistants.) 2. Using profanity, obscenity, or language that may be offensive in the creation of any documents, to include the naming of files. 3. Rendering the computer or peripheral devices (mouse, printers, keyboard, etc.) inoperative. 4. “Tampering” with programs or files, to include unauthorized deleting. 5. Unauthorized installation of programs or files. 6. Any use that violates the copyright laws. 7. Any use that violates established policies of the Lafayette District Schools System. 8. Physical damage to computers or peripheral devices. 9. The sending or forwarding of emails containing inappropriate materials, personal emails or “chain” emails. 10. The District LAN is considered a public network and as such there is no reasonable expectation of privacy beyond that stated by Florida law (student information and certain personnel information). An employee who is aware of any infraction of these requirements, by an employee or student, is required to report such infraction to their immediate supervisor, who, in turn, will notify the IT Department. Failure to comply with the above or any other item deemed necessary by the administration will result in the loss of computer privileges and/or possible disciplinary actions. The employee is required to apply the same confidentiality standards to sensitive information (HIPPA) in the use of the Internet and any technology devices as are required in the normal course of their work. Anyone accessing computers or the internet must have a current, signed internet/computer use form on file with the District IT Department. The signature below indicates agreement, understanding, and compliance with the policy stated herein.
_______________________________ ________________ Signature Date 14
NetBook Damage Report Lafayette School District Student’s Name_____________________________________
Property Number_____________________
Parent’s Name______________________________________
Phone#______________________________
ADDRESS:__________________________________________________________________________________ Date of incident and Time_____________________________
Location_____________________________
Teacher in Charge ______________________________________ Witnesses____________________________________________________________________________________ Brief Description of what happened: _____________________________________________________________________________________________
Submit form to Lafayette District Schools IT Department (remainder of form for District use only). Investigation: _____________________________________________________________________________________________
Determination:
□ Accidental Damage
□ Referred to Principal/Dean
□ Deliberate Damage □ Referred to Superintendent for further action
□ Yes □ No Funds recovered—Amount__________________ Funds received by Business Office: ___________________
Method of Payment
□ Cash
__________________________________ Signature
Date
15
□ Check
STUDENT NAME
_________________________________ GRADE ____ DATE OF BIRTH _____/_____/_____ Lafayette District Schools Student Computer/Internet Use Policy
Lafayette Schools views the use of computers and retrieval of information from the Internet as essential to the learning environment. The District fully supports those materials that will enhance the research and inquiry of the learner with directed guidance from faculty and staff. However, on a global network (the Internet) it is impractical to control all materials; users may discover inappropriate information. Inappropriate Internet information and use is considered to be, but not limited to, the following: 1. 2. 3. 4. 5. 6. 7. 8. 9.
The retrieving and viewing of any information that is pornographic in nature. The disclosing of personal information without that person’s consent. Using profanity, obscenity, or other language that may be offensive. “Chatting” without the direct supervision of faculty or staff and only then in an educational venue. Copying commercial software in violation of copyright laws. Using the Internet for financial gains or for any commercial or illegal activity. “Surfing” with no educational objective in mind. Downloading and playing of games and/or music that are of no direct educational value Any other activity that may bring embarrassment to the Lafayette District School System.
Inappropriate computer use is deemed to be, but not limited to the following: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.
Failure to keep personal passwords confidential, to include allowing others access under your user name and password. Cyber bullying, on-line stalking or similar use. Using profanity, obscenity, or language that may be offensive in the creation of any documents, to include the naming of files. Rendering the computer or peripheral devices (mouse, printers, keyboard, etc.) inoperative. “Tampering” with programs or files, to include unauthorized deleting. Unauthorized installation of programs or files. Unauthorized use of “teacher” computers. Any use that violates the copyright laws. Any use that violates established policies of the Lafayette District Schools System. Physical damage to computers or peripheral devices. Attempting to change any computer settings, including but not limited to, BIOS or security software ( Lightspeed). Use of your District email account for any purpose other than education.
Failure to comply with the above or any other item deemed necessary by the CTO\Network Administrator, Technology Specialists or Administration will result in the loss of computer privileges through Lafayette School District and/or possible disciplinary actions. Access to computers and the Internet through the Lafayette School District will only be granted with a dated student and parent/guardian signature below. These signatures indicate agreement, understanding, and compliance with the policy stated herein.
School Year ________
__________________________ Student Signature
__________ _______________________ Date Parent/Guardian Signature
__________________________ Printed Student Name
_______________________ Printed Parent Name
16
