Procedures, standards and guidelines have been established to ensure the appropriate protection of the Division’s information systems. The Division has in its possession confidential information that must be protected. This administrative procedure also addresses the need for integrity of data throughout the Division’s information system. This procedure supports Administrative 141 Information Security and Administrative Procedure 140 Digital Citizenship.
- All users of the Division’s computer systems and network resources have the responsibility to ensure its overall security and to behave in a manner consistent with this security administrative procedure. Each user is responsible for understanding and complying with Administrative Procedure 141 Information Security and Administrative Procedure 142 Network Security.
- Division Technology Staff (DTS) including network administrators’ assistants and school based tech assistants have the same responsibilities as users, plus the additional responsibilities and privileges outlined below due to their administrative positions. DTS are expected to:
- Assess the security of Division servers, workstations, network systems/resources and data to define and promote best practices regarding security of data and systems;
- Conduct vulnerability scans on a regular basis to ensure the security of Division servers, workstations, network systems/resources and data, and if necessary, prescribe a course of action to mitigate any vulnerabilities;
- Investigate evaluate and implement security related technologies, such as authentication/authorization mechanisms, encryption, certificate services, antivirus software, network monitoring equipment, and firewalls;
- Assist in resolution of serious security compromises, which may include cooperation with law-enforcement agencies, and provide assistance for recovery and security;
- Establish appropriate user privileges, monitor access control logs, and perform similar security actions for the systems they administer;
- Be adequately trained to provide network services for the network operating environment;
- Help develop, maintain and test security procedure(s);
- Help develop, maintain and test access control, backup and disaster recovery plans;
- Take reasonable precautions to safeguard against corruption, compromise or destruction of data, computer systems, and network resources;
- Ensure user information is treated as confidential. It is recognized that DTS may potentially have contact with a user’s files, email, etc. in the course of his or her duties. The contents of such files must be kept confidential. Access to a user’s files is only authorized in the event of a security investigation, or at the written request of the user;
- Take reasonable and appropriate steps to see that all hardware and software license agreements are faithfully executed on all computer systems and networks systems;
- Subscribe to and implement appropriate vulnerability lists, based on the network operating system and services they support;
- Participate in security training approved by the Division Network administrator.
- Site managers/school administrators are responsible for ensuring that appropriate computer and communication system security measures are observed in their departments./schools. Site managers/school administrators are also responsible for making sure that all users are aware of Division procedures related to computer and information system security. Site managers/school administrators are required to:
- Inform any new staff of Administrative Procedure 140 Digital Citizenship, Administrative Procedure 141 Information Security and Administrative Procedure 142 Network Security;
- Provide and require information security training for all their staff members;
- Inform all staff of any changes to Administrative Procedure 140 Digital Citizenship, Administrative Procedure 141 Information Security and Administrative Procedure 142 Network Security.
- General Administration
- Each user must be made aware of and have access to Administrative Procedure 140 Digital Citizenship, Administrative Procedure 141 Information Security and Administrative Procedure 142 This Network Security;
- Any individual aware of any breach of information, the information system or network security, including the compromise of computer security safeguards, must report such situations to his/her supervisor. If it is determined that a security breach has occurred, it must be reported in writing to the Division Network Administrator who will report to the Superintendent;
- DTS must acquire prior approval from the Division Network Administrator before making any configuration changes or installing any network devices that may have a negative impact on network performance/security;
- Staff or students shall not establish their own personal web servers, FTP servers, news servers, electronic bulletin boards, RRS feeds, local area networks, modem connections to any existing Division local area networks, without written approval by the Division Network Administrator and their supervisor;
- Enterprise services, such as Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), Windows Internet Naming Service (WINS), firewalls, routing, E-mail, E-mail relay services, and Active Directory services are to be run in cooperation with IT department procedures and guidelines;
- Security protocols, such as Internet Protocol Security (IPsec) and Secure Socket Layer (SSL) must be used whenever deemed appropriate;
- Unless authorized by the Division Network Administrator, Port scanning is strictly prohibited;
- Unless authorized by the Division Network Administrator, Packet sniffing is strictly prohibited.
- Physical Security
- Computing equipment must be placed in an environmentally controlled location (e.g. temperature control, humidity, exposure to moisture, etc.);
- Servers and networking equipment must be stored in secure locations (server room, wiring closets, etc.) with restricted access only to the IT and Facilities departments as well as the site/school administrator;
- Magnetic media such as hard drives, diskettes, or tapes, must be erased before disposal;
- A shredder must be used for the disposal of sensitive documents;
- All networking devices and servers are required to be connected to an Uninterrupted Power Supply (UPS);
- Where appropriate, security access and authorization documentation, for visitors, must be retained a minimum of three (3) months;
- Mission critical data, or copies of it, is not to be stored on a laptop, portable storage device or a handheld device.
- System Security
- Only personnel authorized by the division Network Administrator shall install applications on servers or workstations;
- Administrative access to systems will be determined by the Division Network Administrator;
- System configuration must be done off line. The system must not be connected to the network until it is at an appropriate level of security;
- Whenever system security has been compromised, or convincing reason to believe it has been compromised, the DTS involved must immediately:
- Reassign all relevant passwords;
- Force every password on the involved system to be changed at the time of the next log-in; and
- Communicate and document his/her actions to IT department staff and any other person(s) affected by the change.
- Wherever possible, operating systems and applications must be kept current with the latest operating system and application patches applied;
- Applications must be configured with security in mind;
- Security, account, and system level logging must be turned on when any server is set up;
- Wherever possible, all severs connected to the Division network must be a member of the domain;
- All unneeded services must be turned off for network devices and computer systems;
- The use of fault tolerant systems, such as disk mirroring and RAID array, is mandatory for all servers that store mission or business critical data and highly recommended for all other servers;
- Major applications must be installed on separate servers, e.g. email on its own server, web files on a separate server. Virtualization of servers is an accepted method of accomplishing this requirement;
- Where appropriate, maintenance and service agreements with vendors must be kept current.
- User Account Security
- Each user must have a unique user ID. DTS must be able to uniquely identify all users, including name, user ID, association, and location;
- All “administrator” passwords to mission critical systems must be recorded, kept up to date and saved, both electronically and hard copy, in a secure location for future reference;
- Each user’s profile must not be read, write or execute capable by other users. Permission to access shared resources is to be granted by site administrator only as needed;
- Accounts created for vendors to provide services must only be active during the time the service is carried out;
- Accounts must be reviewed annually to ensure that only valid accounts remain active;
- All user accounts, when possible, must automatically have associated privileges revoked after a certain period of inactivity. The recommended period is thirty (30) days;
- Temporary accounts must have expiration dates;
- If possible, failed login sessions must be terminated and the account locked after five (5) unsuccessful tries;
- Where possible, concurrent logins must be limited to one (1).
- Terminations and Transfers
- All significant changes in staff duties or employment status must promptly be reported to the Human Resources department who, in turn, will notify the IT department to make the necessary changes to the user’s account;
- Computer access of terminated employees must be deactivated immediately upon notification from the Human Resources department, Superintendent or designate.
- Password Administration
- All accounts must have assigned passwords;
- Users must never reveal their password(s) to anyone else. The only caveat is, if a Customer Service Agent (CSA) needs a user’s account password to give support, the password is to be reset by the CSA to “change password at next logon” when support is finished;
- A CSA or any other staff member from the IT department is prohibited from disclosing users’ ID and/or passwords to anyone;
- Password history must be activated and set to retain the last six (6) passwords used;
- If possible minimum password length should be seven (7) characters and is to include alpha-numeric, capitalization and special characters;
- At a minimum, Active Directory passwords are to be reset every one hundred and eighty (180) days;
- Passwords must not be stored in readable form, e.g. in batch files, automatic log-in scripts, software macros, terminal function keys, any other accessible media, or in other locations where unauthorized persons might discover them;
- Passwords must not be written down and left in a place where unauthorized persons might discover and use them;
- All passwords must be immediately changed if they are suspected of being disclosed, or known to have been disclosed, to anyone besides the authorized user;
- All vendor-supplied default passwords must be changed before any computer or communications system is used;
- A user’s main network account password must be encrypted;
- A user must never use their network account password for access to other web sites or programs.
- Encryption is to be used when a high degree of confidentiality is required for email communication;
- Any user requiring access to resources on the Division network from outside of the network must have an approved VPN connection from the IT department.
- Wireless Devices
- A “wireless” connection is less secure and has less throughput than a “wired” connection; therefore, all wireless systems are to be viewed as a complement to a wired system and not as a replacement for a wired system;
- All wireless access points must be administered by the Division Network Administrator;
- It is mandatory for all wireless access points to apply the latest security protocols;
- Sensitive applications must not be hosted on wireless subnets or be transmitted over the wireless network;
- No systems on wireless subnets are to store or transmit data of a sensitive nature such as credit card numbers, confidential student information, legal or attorney privileged data;
- All users of wireless subnets must acknowledge these policies and agree to abide by them before access is granted to wireless subnets;
- The Division Network Administrator and Superintendent, or designate, must approve any exceptions to the above.
- To assure continued uninterrupted service for both computers and the network, all computer systems must have antivirus software installed, updated and enabled at all times.
- The Division Network Administrator or assistant must make sure that all scheduled backups are completed, monitored and tested for effectiveness. Systems are to be restorable after a failure, due to loss of data, or compromise within a reasonable period of time;
- Backups are to be stored in a secure environment;
- Weekly backups must be stored in a secure environment offsite;
- The number of sets and frequency of backups of a system are to be based on the risk analysis of the system, application, or data being backed up;
- Backup and restore procedures must be documented;
- Backup media must be tested periodically to determine its effectiveness.
- Disaster Recovery
- Inventory of hardware, software, service agreements, vendor contracts, personnel information and responsibilities must be maintained;
- The Disaster Recovery Plan (DRP) shall be reviewed annually by the Division Network Administrator;
- The DRP manual will be located in the Division Office vault as well as a copy kept off site in a secure location.
- This administrative procedure applies to all staff, students, consultants, temporaries, volunteers and any others who access the Division computer network. This administrative procedure also applies to all computer and data communication systems/equipment whether owned and/or administered by the Division or not.
- The Division Network Administrator shall, in conjunction with senior executive, department managers, and internal/external audits, review this document on an annual basis.
Sections 12, 60, 61, 113 School Act
Freedom of Information and Protection of Privacy Act
Canadian Charter of Rights and Freedoms
Canadian Criminal Code
ATA Code of Professional Conduct
Board Policy 12 Role of the Superintendent
Reviewed January 2014