3710-R Network Security
Campbell County School District will:
- Use encryption as much as possible to protect data.
- Use firewall(s) to secure critical segments.
- Use firewall(s) to detect and stop unauthorized intrusion and detection of network level threats.
- Secure Domain Name System (DNS) services to prevent unauthorized use.
- Disable all services that are not in use or services that have a use of which you are not sure.
- Use encrypted protocols when connecting to network equipment wherever possible.
- Avoid using plain text protocols as much as possible.
- Secure Routing protocols wherever possible (i.e. enable password authentication on protocols).
The Network Administrator will be responsible for ensuring that network protocols are configured securely and will work with building and district technologists in developing and securing wiring closets.
Campbell County School District will determine when backups are needed and this will be done prior to the movement of any required systems. Campbell County School District will make an exact, retrievable copy of the data. Campbell County School District will test the copy of the data to make sure the copy of the data is exact and retrievable. Campbell County School District will store the backed up data in a secure location and ensure that the appropriate access controls are implemented to only allow authorized access to all such data.
Server Administrators will be responsible for ensuring the implementation of the data backup and storage procedures.
Campbell County School District will control access to its information assets and systems. Only individuals that have been formally authorized to view or change sensitive information will be granted access to that information. The staff member’s job description will be reviewed to determine their individual rights and the group the individual will be assigned.
The fundamental principal of “need to know” will be applied within Campbell County School District to determine access privileges. Access to sensitive information will be granted only if that individual has a legitimate business need for the information. Reasonable efforts will be made to limit the amount of information to the minimum necessary needed to accomplish the intended purpose of the use, disclosure, or request.
Each individual that accesses sensitive information via a computer at Campbell County School District will be granted some form of unique user identification, such as a login ID. At no time will any employee allow anyone else to use their unique ID. Likewise, at no time will any employee use anyone else’s ID.
Campbell County School District will establish an emergency access procedure for gaining access to sensitive information during an emergency. Extraordinary care in safeguarding and documenting the use of the information will be exercised during this procedure.
Wherever reasonable and appropriate, Campbell County School District will establish role-based categories that identify types of information necessary for employees to do their jobs. Access to sensitive information will be granted based on these roles or functions that the individual performs within the organization.
Campbell County School District will maintain procedures for automatic logoff of systems that contain sensitive information after a period of inactivity. The length of time that a user is allowed to stay logged on while idle will depend on the sensitivity of the information that can be accessed.
Campbell County School District will evaluate and implement encryption and decryption solutions as an additional form of access control, where deemed reasonable and appropriate as follows:
Technically sound and useable
All individuals identified in the scope of this policy are responsible for:
Ensuring no other individual uses their unique ID
Never using another individual’s unique ID
Abiding by the terms of this policy
The Campbell County School District Server Administrators are responsible for:
- Ensuring employees have access to only the sensitive information they need to do their jobs
- Creating and maintaining role-based access control based on the roles and functions workforce members perform in the organization
- Ensuring each workforce member has a unique user ID for access systems that contain sensitive information
- Maintaining emergency access procedures
- Maintaining automatic logoff procedures
- Evaluating and implementing (when reasonably appropriate) encryption and decryption solutions as a form of access control
Symmetric cryptosystem key lengths must be at least 128 bits.
Asymmetric crypto-system keys must be of a length that yields equivalent strength.
Campbell County School District’s key length requirements will be reviewed annually and upgraded as technology allows. All keys generated will be securely escrowed.
The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by the Network Administrator.
Campbell County School District requires that:
All passwords must be changed at least once every semester for those who have access to safety sensitive systems i.e.; student data, human resource and financial systems.
User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user.
Passwords must not be inserted into email messages or other forms of electronic communication.
Where the Simple Network Management Protocol (SNMP) is used, the community strings must be defined as something other than the standard defaults of “public,” “private,” and “system,” and must be different from the passwords used to log in interactively. A keyed hash must be used where available.
Users must select strong passwords when accessing sensitive information. Strong passwords have the following characteristics:
Be at least six characters in length
Be a mixture of letters, numbers, and special characters
Be changed at least every semester
Further, systems that authenticate must require passwords of users and must block access to accounts if more than five unsuccessful attempts are made.
Members of the workforce must follow these guidelines for passwords:
- Don’t reveal a password over the phone to ANYONE
- Don’t reveal a password in an e-mail message
- Don’t talk about a password in front of others
- Don’t hint at the format of a password, like, "my family name"
- Don’t reveal a password on questionnaires or security forms
- Don’t share a password with family members
- Don’t reveal a password to co-workers
Employees must not write passwords down and store them anywhere in your office. Further, passwords must not be stored on ANY computer system (including Palm Pilots or similar devices) without encryption.
Server Administrators are responsible for ensuring the implementation of password management.
Members of the workforce must not share their passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential information.
ADOPTION DATE: September 27, 2016
CROSS REFERENCE(S): 3710