2313 R&P

2313 R&P

3013 R&P

EMPLOYEE ACCEPTABLE USE OF ELECTRONIC RESOURCES

3013 R&P

4013 R&P

4013 R&P

Each employee is responsible for the protection and privacy of the district’s data. There are three classifications of data within the Wake County Public School System. Employee due diligence is especially important with CONFIDENTIAL material.

Data Classifications

The most recent data classification matrix, which includes the district’s examples of each classification, can be found on the WCPSS intranet website under Departments / Information Security.

Data Handling, Labeling, and Destruction Procedures

Each data classification has a defined set of handling, labeling, and destruction procedures. These procedures protect the data throughout its life from electronic, to print, to eventual destruction. These procedures are especially important when the information is CONFIDENTIAL or sensitive in nature. The most recent data handling, labeling, and destruction procedures can be found on WCPSS intranet website under Departments / Information Security.

 Guideline when sharing CONFIDENTIAL and sensitive information:

Verify that a bona-fide need-to-know or right exists

Share the minimum amount of information necessary to complete the task or request

Employees will

Use password protected screen savers that are set for less than or equal to 30 minutes

Manually lock the computer screen, room, and file cabinets when away

Close or cover CONFIDENTIAL and sensitive files when others visit

Log off the computer and secure CONFIDENTIAL and sensitive information at the end of each workday

Shred CONFIDENTIAL and sensitive material before placing in trash or FEED THE BIN

Send CONFIDENTIAL material through courier rather than sending in e-mail when possible

Employees will not

Leave a computer unattended when they are logged in

Store electronic CONFIDENTIAL information on a personal device

Configure a computer or device to automatically logon

Configure an operating system or application to remember a password to a system or service containing CONFIDENTIAL or sensitive information; unless the Chief Technology Officer (CTO) or the Information Security Officer (ISO) has approved the password capture program

Store CONFIDENTIAL information on a mobile device without approval from the ISO

Passwords

Must be kept secret since users are accountable for all work done under their user ID  (use of password for system access may be tracked and audited)

May NEVER be shared (unless for obvious reasons such as technical assistance)

Are required to be changed  if it is suspected that someone knows or has used it

Will be kept secure; NO Post-it ® Notes or similar storage of passwords (Do not post passwords or store in accessible areas such as unlocked desk drawers)

Where technically possible, will be a minimum of 8 characters in length, contain a mixture of characters and numbers, and expire after no more than 180 days

May be easier to remember if constructed with a sentence. Examples: backto07School; myDiet89isapain; at23myHairfellout

2313.1

3013.1

4013.1

Supervision of Students

Teach responsible use of resources whenever possible

Monitor student use of Internet and local computer use

Supervise student use of electronic information resources in a manner that is appropriate to the student’s age and the circumstances of use

Follow the WCPSS guidelines for classroom based Internet activities found in section 2313.2

Recognize  that inappropriate student behavior typically escalates with substitute supervision

Warn students about potential liability (including criminal) for possession and use of hacking tools

Advise students where certain activities can lead to illegal or unauthorized activity

Emphasize that there are no sanctioned hacking activities

Explain that students are not authorized to run, manipulate, or download any software, script, or resource for which they have not been given specific authorization.

Explain that students may not store files in unauthorized locations such as the local hard drives.

Create local rules if necessary since each school will have its own set of issues then send these rules to Information Security for possible future inclusion in Policy or R&P

2313.2

3013.2

4013.2

Classroom Activities

The Internet is no longer simply a resource for students to retrieve or pull information. The Internet is increasingly used for the pushing and exchanging of information. Interactive tools allow collaboration and exposure beyond the traditional walls of a classroom. Although interactive tools may bring increased benefit to students, they also produce increased risks, as the posted information may be publicly available. Thus, use of interactive Internet tools requires additional planning and supervision.

Student involvement with interactive Internet tools is required to be teacher directed. Management, monitoring, and responsibility for “posted content” lie with the individual teacher sponsoring the activity.

Students retain all rights and ownership of content published under their chosen pseudonym. Posted content encompasses a variety of items including but not limited to artwork, opinions, comments, and written papers.

WCPSS Guidelines for Classroom Based Internet Activities

• Remain personally anonymous (use pseudonyms for employees and students)
• Ask for pseudonyms that are not used elsewhere as they may be cross referenced and used for identification purposes
• Keep the school and district anonymous
• Review content prior to posting when technically possible, e.g. podcasting
• Monitor ALL posted content
• Use password protected services where possible
• Change the “global” password often, e.g., wiki password – universal password used by a group of people to access a site
• Require that students log in when posting or editing
• Check videos or photos for identifying information such as clothing, school banners, mascots, etc.
• Check for student names on items such as reports and artwork
• Never pair images with names
• Check prior to  posting any student information that

o        It is authorized (Check the “do not share” directory requests from parents or guardians)

o        Separate consent has been  obtained prior to posting non-directory information about a student (such  information cannot be released without prior written consent)

Storage, Processing, or Transmission Restrictions

WCPSS school or divisional Internet facing web servers are not authorized for the storage, processing, or transmission of CONFIDENTIAL data.

All WCPSS business conducted online must utilize WCPSS authorized e-mail (communications) programs or services. Schools wishing to use external services must have the contracts approved by Technology Services Division so that the appropriate provisions may be added to the contract e.g., procedures and contacts for public information requests.

By default, externally hosted programs or services are authorized for the processing, storage, and transmission of Public information only.

Authorization for external processing, storage, or transmission of CONFIDENTIAL or Internal Use Only data can only be granted by the Chief Technology Officer (CTO) or the Information Security Officer (ISO).

2313.3

3013.3

4013.3

Harassment, Cyberbullying, and Cyberstalking

When it can be demonstrated that cyberbullying, cyberstalking or other harassment involves electronic resources and has resulted in a substantial disruption of the educational environment, the district may intervene and involve external authorities if necessary.

Report real or suspected harassment, cyberbullying, or cyberstalking incidents to the Security department or the School Resource Officer (SRO).

Unauthorized Possession or Use

Use of proxy servers or other such services to circumvent the Internet blocking filter is expressly prohibited. Storing or possession of files containing IP addresses of proxy servers is likewise prohibited.

Possession of unauthorized or unlicensed software is prohibited. Any files including but not limited to music, pictures, executable files etc. that do not support educational goals are not authorized to be stored in shared, network, or server directories.

Installing, downloading, storing, or running software used for hacking is prohibited. Hacking or security tools are defined as tools that have the potential to: (a) target or collect information for an attack or access to systems; (b) enumerate account shares or file systems; (c) allow unauthorized access; (d) allow escalation of privileges; (e) bypass security settings; (f) create a back door; (g) attack a system (h) create a denial of service; (i) remove or delete files to cover tracks; or (j) otherwise interfere with the designed operation of the system.

2313.4

3013.4

4013.4

Purchase of mobile devices

Many mobile devices are unsupportable or incompatible with the WCPSS environment. Prior to obtaining mobile devices and expecting to be able to use them within the WCPSS environment, it is the responsibility of the employee to ascertain the appropriateness of the device for its intended use within WCPSS.

Technology Related Infractions

There are no separate rules for disciplining technology related infractions, however, a graduated scale of consequences and remedial actions is recommended. Each infraction, whether by an employee or by a student, requires individual review with proper consideration of all mitigating circumstances. In addition, academic considerations may be involved. In each instance, consider the following:

 Should the individual be told that the behavior is unacceptable? (For this specific offense, not just by the signing of the AUP)

Should the individual be given a chance to stop the offending behavior? (If the offender is a student, should that student be given a chance to stop the behavior prior to contacting the parents?)

Is this a first time offense or a continuous problem?

Has the infraction taken place over a few minutes or is it a sustained or systemic issue?

What is the nature of the prohibited content or abuse?

What is the quantity of prohibited content (number of files)?

Was the infraction illegal or simply ill advised?

Did the infraction endanger other persons (students or employees)?

When to Involve Technology Services Division

When computer related issues are of a serious nature or assistance is needed for the collection, validation, or documentation of evidence, employees are advised to contact Technology Services Division (TSD) for assistance. For assistance, principals and central services supervisors may report issues or request assistance using the information security incident reporting process outlined below in 2313.6.

School based computer related incidents are not to be handled by an Instructional Support Technician (IST) or any contracted personnel (such as the IST providing service to high schools).

2313.5

3013.5

4013.5

Information Security Standards

Schools and divisions are required to comply with the WCPSS information security standards, as well as all other procedures, guidelines, and processes published by Technology Services Division, for all computing resources that process, transmit, or store WCPSS data.  

All e-mail systems supporting WCPSS must participate in the public records request process of the district.

Technology related contracts must be approved by Technology Services Division

Unless specific SLA provisions and contracts are in place and approved by Technology Services Division, CONFIDENTIAL data is not authorized for use with external services and providers or with computers that have been authorized to process data classified as Public or Internal Use Only

The most recent information security standards, procedures, guidelines, and processes can be found on the WCPSS intranet website under Departments / Information Security.

2313.6

3013.6

4013.6

Information Security Incident Reporting Process

Employees are required to report all information security incidents of which they become aware. An information security incident is a real or suspected breach or weakness in data security. For issues where a real or suspected legal or physical harm exists, contact the School Resource Officer (SRO) or the Security Department first. The reporting process should be as follows:

2313.7

3013.7

4013.7

CONFIDENTIAL Data on Mobile Devices

CONFIDENTIAL and sensitive information stored on removable and portable media present significant risks to the district because these items are often lost, misplaced, and/or stolen.

Users having a bona-fide business need to store CONFIDENTIAL or sensitive material on mobile devices must place a formal request with the Information Security Officer (ISO). The employee’s principal or a senior director or above must first approve the request. Approved requesters will receive assistance in securing their WCPSS devices with approved encryption software.

Employees must use encryption passwords that are a minimum of 8 characters in length, contain a mixture of characters and numbers, and are different from the password used to access their computer

Employees must place encryption passwords in a sealed envelope which is given  to their supervisor for safekeeping (label the outside of the envelope with name, employee id, short description of device being secured, and the current date)

Encryption passwords must be provided to the ISO or Chief Technology Officer if requested

Encrypted data is subject to the same scrutiny and oversights as mentioned in 2313.5/3013.5/4013.5, Employee Acceptable Use of Electronic Resources and supporting information security standards

CONFIDENTIAL Material (Use Outside WCPSS / Transporting)

Do not leave WCPSS CONFIDENTIAL material unattended (hardcopy and electronic). Extra care must be taken in locations where people congregate such as coffee shops, airports, malls, and libraries.

When traveling in a vehicle with CONFIDENTIAL material, secure the items in the trunk before getting into the car NOT after stopping on the way home. Thieves watch and target last minute transfers. Where no trunk exists, employees must decide if the stop is worth the risk or take necessary precautions to protect the material.

Leaving material vulnerable to theft may be unintentional, but the decision to leave unprotected CONFIDENTIAL data on mobile devices is considered intentional.

Users having CONFIDENTIAL and sensitive material on mobile devices that have not yet been secured written permission may incur greater personal liability in the event the device is lost or stolen.

Lost or Stolen CONFIDENTIAL Material

All CONFIDENTIAL material that is lost or stolen must immediately be reported to a school principal or a central services supervisor who may then call the Information Security (INFOSEC) hotline.

Where the investigation finds that a loss of control was likely, even if the material is recovered, external reporting may still be required. If it can be determined that the material was not compromised, the case may be closed.

Lost or Stolen Computing Hardware

Any WCPSS computing resources having the ability to store data must be reported when lost or stolen via the” Information Security Incident Reporting Process” in 2313.6.

Where CONFIDENTIAL material is suspected or known to be present on the hardware, follow the procedures in “Lost or Stolen CONFIDENTIAL Material” as well.

Legal Reference: 15 U.S.C. § 6501 et seq.; 16 C.F.R. Part 312; 47 U.S.C. § 254; 42 U.S.C. 2000e et seq.; 18 U.S.C. § 2510 et seq.; 20 U.S.C. § 1681 et seq.; 20 U.S.C. § 6777; G.S. 14-196.3; G.S. 15A-286 to -287

Adopted: June 3, 2008