Long Beach School District
Network Security Policy
|
Section |
Title |
Page |
|
I. |
Introduction |
2 |
|
II. |
Purpose of Security Policy |
2 |
|
III. |
Security Policy Scope |
3 |
|
IV. |
General Security Policy |
3 |
|
V. |
Maintenance of Policies, Standards, Guidelines and Recommendations |
4 |
|
VI. |
Security Policy; Review, Schedule and Updates |
4 |
|
VII. |
Technology Staff: Role and Responsibilities |
5 |
|
VIII. |
Web Server; Connectivity, Security, Physical Location |
5 |
|
IX. |
E-mail; Functionality, Security, Limitation |
6 |
|
X. |
Antivirus Software; Virus Prevention, Detection and Removal |
6 |
|
XI. |
Firewalls Requirements; Use, Functionality and Port Restriction |
7 |
|
XII. |
Non-Educational/District-Business Related Network Traffic |
8 |
|
XIII. |
Wireless Access Connectivity |
8 |
|
XIV. |
Internet Filtering |
9 |
|
XV. |
Passwords; Guidelines, Protection of, Bad examples |
9 |
|
XVI. |
Servers; Operating Systems, Security and Version Control |
11 |
|
XVII. |
Security Tools; Scanners and Intrusion Detection Systems |
13 |
|
XVIII |
Physical Access; Security Guidelines and Recommendations |
14 |
|
XIX. |
Website; Connectivity, Security Privacy Statement |
15 |
|
XX. |
Authentication and Integrity, Digital Signature, Encryption |
16 |
|
XXI. |
Network Security Administration Procedures, Security Incident Procedures, Reporting, Preserving Evidence, Legal Action |
16 |
|
XXII. |
Software Procedures |
19 |
|
XXIII. |
Hardware Procedures |
20 |
|
XXIV. |
Practices for Network Use |
20 |
|
XXV. |
Revision of Security Policy |
21 |
Long Beach School District Security Policy
I. Introduction
The purpose of the Long Beach Network Security Policy is to create an environment within the Long Beach School District that maintains system security, data integrity and privacy by preventing unauthorized access to data and by preventing misuse of, damage to, or loss of data. The Long Beach School District will adhere to the policies identified in this document and use these standards in which to develop, implement, and maintain the security. Technological advances and changes in the District requirements will necessitate periodic revisions; therefore, Long Beach School District will review and update IT security plans at least annually or following any significant change to its business, computing, or telecommunications environment.
II. Purpose of Security Policy
The Long Beach School District’s increased use of the Internet for conducting official business has generated the following security concerns:
· Information Integrity - Unauthorized deletion, modification or disclosure of information;
· Misuse - The use of information assets for other than authorized purposes by either internal or external users;
· Information Browsing - Unauthorized viewing of sensitive information by intruders or legitimate users;
· Penetration - Attacks by unauthorized persons or systems that may result in denial of service or significant increases in incident handling costs;
· Computer Viruses – Attacks using viral code that reproduces itself by modifying other programs, spreading across multiple programs, data files or devices on a system or through multiple systems in a network, that may result in the destruction of data or the erosion of system performance;
· Fraud - Attempts to masquerade as a legitimate user to steal services or information, or to initiate transactions that result in financial loss or embarrassment to the organization;
· Component Failure - Failure due to design flaws or hardware/software faults can lead to denial of service or security compromises through the malfunction of a system component; and
· Unauthorized additions and/or changes to infrastructure components.
Because information technology security planning is primarily a risk management issue, this policy and its associated standards and guidelines focus on the creation of a shared and trusted environment, with particular attention to:
· Common approaches to end-user authentication;
· Consistent and adequate network, server, and data management;
· Appropriate uses of secure network connections; and
· Closing unauthorized pathways into the network.
The Long Beach School District will take steps necessary to initiate an approach to:
· Ensure secure interactions between and among business partners, external parties, and school districts to utilize a common authentication process, security architecture, and point of entry;
· Prevent misuse of, damage to, or loss of District /MDE hardware and software facilities;
· Prevent unauthorized use or reproduction of copyrighted material by public entities.
· Ensure secure interactions between the Long Beach School District and the State agencies and ensure that there is a shared and trusted environment.
The Long Beach School District will:
· Operate in a manner consistent with the Security Policy and Acceptable Use Policy;
· Develop, implement, maintain, and test security processes, procedures, and practices to protect and safeguard voice, video, and data computing and telecommunications facilities (including telephones, hardware, software, and personnel) against security breaches;
· Train staff to follow security procedures and standards;
· Apply appropriate security measures when developing transactional Internet-based applications,
· Ensure and oversee compliance with this policy.
III. Security Policy Scope
For the purposes of this policy, security is defined as the ability to protect the integrity, availability, and confidentiality of information held by The Long Beach School District, to protect it’s assets from unauthorized use or modification and from accidental or intentional damage or destruction. It includes the security of network facilities and off-site data storage; computing, telecommunications, and applications related services purchased from commercial concerns; and Internet-related applications and
connectivity.
IV. General Security Policy
It is the network security policy of the Long Beach School District that:
1) The Long Beach School District will operate in a manner consistent with the maintenance of a shared, trusted environment within state government for the protection of sensitive data and business transactions. The District will use security protocols (including means of authentication and authorization) relied upon by others; and
The integrity, reliability and predictability of the District WAN will be maintained.
2) The Long Beach School District will establish its secure business applications within the guidelines of the Mississippi State Government Network Infrastructure. This requires that all parties interact with agencies through a common security architecture and authentication process. The Long Beach School District will maintain and operate the shared infrastructure necessary to support applications and data within a trusted environment.
3) Furthermore, the Long Beach School District will operate its applications and networks within the District’s Network Infrastructure and will subscribe to the following principles of shared security:
· Follow security standards established for selecting appropriate assurance levels
for specific application or data access and implement the protections and controls specified by the appropriate assurance levels;
· Recognize and support the state’s standard means of authenticating external
parties needing access to sensitive information and applications;
· Follow security standards established for securing servers and data associated
with the secure application; and
· Follow security standards established for creating secure sessions for
application access.
4) The Long Beach School District will address the effect of using the Internet to conduct transactions for business with other public entities, citizens, and businesses.
5) The Long Beach School District will ensure staff is appropriately trained in Informational Technology (IT) security procedures. The District will make staff aware of the need for IT security and train them to perform the security procedures for which they are responsible. Long Beach Schools IT staff will be encouraged to participate in appropriate security alert response organizations at the state and regional levels.
6) The Long Beach School District will review its IT security processes, procedures, and practices at least annually and make appropriate updates after any significant change to its business, computing, or telecommunications environment. Examples of these changes include modifications to physical facility, computer hardware or software, telecommunications hardware or software, telecommunications networks, application systems, organization, or budget. Practices will include appropriate mechanisms for receiving, documenting, and responding to security issues identified by third parties.
7) The Long Beach School District will conduct an IT Security Policy and Standards Compliance Audit once every three years. The audit will be performed by knowledgeable parties independent of the Long Beach School District. The work will follow audit standards developed and published by the State Auditor.
The Long Beach School District IT security processes, procedures, and practices may contain information (confidential or private) about the District’s business, communications, and computing operations or employees. Policy and procedures for distribution of any related documentation should consider sensitive information and related statutory exemptions for such information from public disclosure.
V. Maintenance of Policies, Standards, Guidelines and Recommendations
Technological advances and changes in the business requirements of the Long Beach School District will necessitate periodic revisions to policies, standards, guidelines and recommendations. The Long Beach School District is responsible for routine maintenance of these to keep them current. Major policy changes will require the approval of the Technology Department and Superintendent of Education.
VI. Security Policy; Review, Schedule and Updates
Technological advances and changes in the business requirements will necessitate periodic revisions; therefore, the Long Beach School District will review and update IT security plans at least annually or following any significant change to its business, computing, or telecommunications environment.
If the District purchases IT services from another organization, the District and the service provider will work together to make certain the IT security plan for the service provider fits within the District’s security plan. The District will obtain a copy of the service provider’s network security plan to determine if it complies with the District Security Plan. If two or more agencies participate with each other in operating an information service facility, the agencies will develop a joint IT security plan which meets their mutual needs.
The Long Beach School District will promote security awareness by informing employees, associates, business partners, or others using its computers or networks about security policies and practices, what is expected of them, and how they are to handle the information.
VII. Technology Staff (ITS): Role and Responsibilities
The Long Beach School District Technology Staff is responsible for developing and maintaining the District’s Security Policy. The Technology Department will:
· Develop and maintain the Security Policy
· Research the IT industry for security related issues and determine how it affects the District IT infrastructure as a whole
· Participate in local and/ or national security organizations for the purpose of sharing security information, pitfalls, warnings, etc.
· Work with State agencies on related security issues
· Work with the State Network Operation Center in investigating intrusion attempts and virus attacks, reporting to agencies’ on these intrusion attempts and virus attacks.
· Work with State Auditor’s Office on Security Audits as necessary
The Long Beach School District will designate an individual to serve as a contact for the technology department (ITS) concerning all security-related issues. This individual will:
· Develop and maintain District-specific security policies
· Ensure that the District is adhering to State of Mississippi Enterprise Security Policy
· Participate in the State Network Security Listserve
· Research IT industry for security related issues and how it affects the District specifically
· Monitor security issues within the District’s IT resources
· Facilitate the State Auditor’s Office Security Audit
The Long Beach School District maintains and houses web servers that reside on the District network and is accessible from the Internet. The district is required to “harden” the server by making sure that all the current operating system patches are applied and kept up-to-date, removing any unnecessary server processes.
For the purpose of security and limiting Spam into the network, the Long Beach School District shall implement and maintain mail relays on the inside of the firewall. All mail bound for State domain email addresses must come through the mail relay and be “relayed” to the appropriate mail server.
1) No direct SMTP from the Internet. The District will utilize the MDE maintained mail relays for mail traveling in from the Internet.
2) No POP or IMAP from Internet to mail servers inside the State network. The District will utilize a web interface (HTTP/HTTPS) to access this mail.
3) No POP or IMAP from State network to private mail accounts on Internet. The District will utilize a web interface (HTTP/HTTPS port) to access this mail.
4) All school related and district related correspondence with students, parents, vendors, business partners, etc. must be via the LBSD or MDE email account. AOL, Yahoo, Netscape, etc will not be permitted for correspondence, as this mail may be intercepted and may contain viruses, etc, that could reach the district network.
5) Never open any email attachments on the network except for the LBSD Groupwise or MDE email. Use extreme precaution when opening email attachments to ensure that the attachment is safe. Virus scanning devices are used on the state and district email system.
There are several kinds of software that can surreptitiously breach computer and/or network security.
They include:
· virus: a code fragment (not an independent program) that reproduces by attaching to another program. It may damage data directly, or it may degrade system performance by taking over system resources, which are then not available to authorized users.
· worm: an independent program that reproduces by copying itself from one system to another, usually over a network. Like a virus, a worm may damage data directly, or it may degrade system performance by consuming system resources and even shutting down a network.
· Trojan horse: an independent program that appears to perform a useful function but that hides another unauthorized program inside it. When an authorized user performs the apparent function, the Trojan horse performs the unauthorized function as well (often usurping the privileges of the user).
A common method of sending these computer viruses is via email. The District will scan all inbound email for viruses and will implement and maintain anti-virus software on the network. The District will implement the following administrative policies in regard to virus and email:
1) Maintain real-time anti-virus software on the network including all servers and workstations.
2) Be diligent about keeping virus definition files up-to-date.
3) Instruct network users not to open attachments from individuals they do not know and/or trust. Instruct them to either delete the email in question or notify the support staff for further investigation.
4) Once a device is infected with a virus, the offending machine should be removed from the network until such time the virus can be removed from the machine.
5) Copies of virus-detection and eradication tools should be kept offline. Otherwise it is possible that the virus could modify the detection tools to prevent its own detection. The network administrator should actively scan/check for viruses online, but periodically use the off-line, trusted copies of the tools to scan the systems.
MDE will maintain a firewall within the core of the network that provides one level of protection of the State network from the connection to the Internet. Below are examples of what will not be permitted:
No direct SMTP from the Internet. The District will utilize the MDE maintained mail relays for mail traveling from the Internet.
No POP or IMAP from Internet to mail servers inside State network. The District will utilize Web interface (HTTP/HTTPS) to access this mail.
No POP or IMAP from State network to private mail accounts on Internet. The District will utilize a web interface (HTTP/HTTPS port) to access this mail.
No FTP access is allowed from Internet to a device on the district or state network.
ITS will not restrict FTP out of the State network to a device on the Internet provided that session/transfer is initiated from the State network.
No LAN protocols mapped to and/or from devices on Internet (i.e. NetBios, NetBeui, NFS, etc.).
No ICMP to and/or from Internet to State network.
No outbound port that has the potential of propagating industry-known viruses, worms, etc. will be allowed.
The exception to these port restrictions is when the district has a VPN implemented between them and a third party. In that scenario, all ports are available for use provided the traffic goes through the VPN.
At no time may a district permit a third party entity to connect directly to their local area network behind the State’s firewall. This includes terminating third party circuits behind MDE firewalls and/or utilizing a PC remote control product (i.e. PC Anywhere) and a modem over a dialup connection.
At no time may a user copy and/or store District data onto a computer that is removed off site of the Long Beach School District, regardless if the computer is owned by the district or by a private owner. This includes but is not limited to MSIS data, financial data, student grade book data, employee or student data, etc. This data may not be removed from the district site in the form of data stored on disk, CD, DVD, backup tape, etc.
1) Instant Messaging protocols outbound from the District network to Internet will not be permitted.
2) Music/video/file sharing services (I.e. Napster, Kazaa, etc.) and any other illegal software or services will not be permitted on State or District network. In addition to security concerns, these services are bandwidth “monsters”. Also there are legal ramifications that are tied to users who use these applications to share files.
3) Internet streaming of audio and/or video will not be permitted. Users are not to use the LBSD network and computers to listen to the radio, watch movies, watch sporting events, etc.
4) No external email services (IE, AOL, Yahoo Mail, etc.) may be used for personal email.
The District will enable and configure the highest form of Wired Equivalent Privacy (WEP) encryption on all wireless devices.
No installations of wireless devices, such as wireless access points, wireless printers, wireless network cards may be installed in the district by any person except a member of the Technology Department. Proper configurations must be performed in order to protect the network.
Consideration for wireless
connections will be based upon the need for the connection, as well as assuring
security and integrity of the network Wireless access will be denied for such
reasons as, the room is already hard-wired for computers.
XIV. Internet Filtering
The District will use the MDE Internet
filtering servers located at the core to provide content filtering for the
district. The District will utilize proxy servers for the purpose of tracking
Internet usage. The District will be CIPA and COPPA compliant.
XV. Passwords; Guidelines, Protection of, Bad examples
Passwords are our personal identification keys that allow access to various IT resources on the District’s network. Passwords help ensure that only authorized individuals access a computer system, a network device, an application, a file, data, etc. Passwords also help to establish accountability for all transactions and changes made to those IT resources. The District enacts strict password policies in securing our segment of the State network infrastructure and our local network. The following guidelines are used when developing these password policies.
Choosing a Password:
Passwords must contain at least 5 nonblank characters.
Passwords must contain a combination of letters and numbers.
Passwords may not contain the user ID.
Passwords may not include the personal information about the user that can be easily guessed: user name, spouse’s name, kid’s name, employee number, social security number, initials, pet’s name, birthdate, telephone number, city, etc.
Passwords may not include common words from an English dictionary or foreign-language dictionary. Hackers have tools that enable them to break any password found in a dictionary or that is a simple transformation of a dictionary word.
Passwords may not contain commonly used proper names, including the name of any
fictional character or place.
Passwords may not contain any simple pattern of letters or numbers such as "qwertyxx" or "xyz123xx."
Passwords should not be trivial, predictable or obvious.
A complex password that cannot be broken is useless if you cannot remember it and have to write it down. For security to function, passwords must be memorized and not displayed for others to view.
Protecting Passwords:
Do not disclose your passwords to anyone except when there is an overriding operational necessity (i.e., support issue).
Do not leave passwords in a location accessible to others or secured in a location for which protection is less than that required for information that the password protects.
Use Secure Shell (SSH) to avoid sending your password in clear text over the network. Crackers can break into a network, set up a program called a Sniffer that listens to the network for passwords, and steal your password. Anytime you type your password to log in to another computer using telnet, ftp, rlogin, etc., your password can be stolen.
Passwords should be unique to users and users should never share passwords.
Passwords should be changed at least every school year and never reused.
Passwords should be changed if anyone else learns the password.
Never use default passwords. All passwords should be unique. This is especially important for administrator accounts with extended rights.
Passwords should be required on all user accounts.
Don't let support vendors have free reign of the Districts IT resources. If a vendor needs access to some resource for support, give the vendor a password and then change it and lock them out when their support is complete.
Be diligent about removing user accounts for staff no longer employed by the Long Beach School District.
Users should log out when leaving their computer, especially administrative users with extended rights.
Teachers and/or staff members may never allow another user (ex. Student) to use their computer while they are logged in the network. Teachers and staff have more privileges than students, such as grade books, etc. and students should never have access to those rights.
Students may never use another student, teacher or staff member’s password nor may they use a computer that is already logged in as another user.
If you suspect your password has been stolen or “cracked", notify the technology staff and change it immediately.
XVI. Servers, Operating Systems, Security and Version Control
Because of their service role, it is common for servers to store many of an organization's most valuable and confidential information resources. They are often deployed to provide a centralized capability for an entire organization, such as communication/email or user authentication. Security breaches on a network server can result in the disclosure of critical information or the loss of a capability that can affect
the entire organization. Therefore, securing network servers should be a significant part of the network and information security strategy.
Many security problems can be avoided if servers and networks are appropriately configured. Default hardware and software configurations, however, are set by vendors who tend to emphasize features and functions more than security. Since vendors are not aware of your security needs, we must configure new servers to reflect our security requirements and reconfigure them as our requirements change.
There are several aspects of network servers that can make them tempting targets for hackers/intruders:
1. Public servers often have publicly known host names and IP (Internet Protocol) addresses.
2. Public servers may be deployed outside an organization's firewall or other perimeter defenses.
3. Servers usually actively listen for requests for services on known ports, and they try to process such requests.
4.Servers often do not have a human user who notices signs of unusual activity.
5. Servers are often remotely administered, so they willingly accept connections from privileged accounts.
6.Servers often are configured to reboot automatically after some kinds of failures, which can offer opportunities for intruders.
When deploying servers in the network, special considerations are made. These recommendations are generic in nature and should be considered for all servers including: Novell, Windows NT, UNIX, Linux, Windows XP, etc. The Long Beach School District considers these recommendations:
1) Do not purchase or deploy systems that fail to meet your security requirements.
2) As a general rule, a network server should be dedicated to a single service. This usually simplifies configuration, which reduces the likelihood of configuration errors. It also can eliminate unexpected and unsafe interactions among the services that present opportunities for intruders.
3) Determine what steps you need to take to ensure that the information contained on hardware being replaced, removed from service, or disposed of is eliminated to the extent possible. For example, erase and reformat disks, rewrite tapes, and clear firmware passwords from servers being taken out of commission. Hackers could use information gathered from old hard drives, to crack other systems.
4) Prevent the use of a network server as a workstation.
5) Stay informed of vendors' security-related updates to their products, which may be called updates, upgrades, patches, service packs, or hot fixes. Whenever an update is released, you need to evaluate it, determine if it is applicable to your organization's computers, and, if so, install it. The most common sources of current information include Web sites of vendors and computer and network security organizations. There are also mailing lists, some of which are sponsored by vendors, and USENET news groups. Keep security patches current.
6) Offer only essential network services and operating system services on the server host machine. Other services can be used to attack the host and impair or remove desired network services. Either do not install unnecessary services or turn the services off and remove the corresponding files (and any other unnecessary files) from the host.
7) Remove unneeded default accounts and groups. The default configuration of the operating system often includes guest accounts, administrator accounts, and accounts associated with local and network services. The names and passwords for those accounts are well known. Remove or disable unnecessary accounts to eliminate their use by intruders.
8) Change default passwords. For default accounts that you want to keep on the system, change the passwords to make it harder for intruders to compromise the accounts. Also disable passwords for accounts that need to exist but do not require an interactive login.
9) Ensure users follow your password policy. Document your password policy, communicate it to users, and train them to always follow the policy. Configure the password-setting software to reject passwords that don't conform to your policy, if the operating system provides this feature.
10) Configure servers to deny login after a small number of failed attempts.
It is relatively easy for an unauthorized user to gain access to a server by using automated software tools that attempt all passwords. Configure it to deny login after five failed attempts. Typically, the account is "locked out" for a period of time (such as 15 minutes) or until a user with appropriate authority reactivates it.
11) Configure computer operating systems with appropriate object, device, and file access controls. Many operating systems provide the capability to specify access privileges individually for files, devices, and other data or code objects. Configure the settings on files and other objects to take advantage of this capability and protect information stored on the computer. By carefully setting access controls, you can reduce both intentional and unintentional security breaches. For example, denying read access helps to protect confidentiality of information, and denying unnecessary write access
can help maintain the integrity of information. Limiting the execution privilege of most system-related tools to authorized system administrators can prevent most users from making configuration changes that could reduce security. It also can restrict the ability of intruders to use those tools to attack the system or other systems on the network. Only give users access to files/data that they need.
12) Identify and implement server logging mechanisms. For example, access to services should be logged and/or protected through access-control methods such as TCP Wrappers, etc.
13) Develop and implement a file backup and restoration plan. File backups allow you to restore the availability and integrity of information resources following security breaches and accidents. Without a backup, you may be unable to restore a computer's data after system failures and security breaches. The district will backup servers daily and will store backup tapes weekly in another site within the district. File restoration will be completed as needed.
14) Install virus scanning software and aggressively scan for viruses. Also, keep virus definition files up-to-date. Scanning for viruses with out-dated antivirus software will not detect the latest and greatest virus threats traveling around the Internet.
15) Deploy servers in a secure facility preventing unauthorized access to the server. Access to server rooms must be restricted to authorized LBSD Technology staff only.
16) Deploy network wiring and devices in a secure facility. For example, if an intruder gains access to a network switch, he can place a Sniffer on the network and sniff for data including sensitive/personal data, passwords etc.
17) Implement appropriate change management procedures and all configuration changes to server must follow those procedures.
18) Never log into a server and use root/supervisor/administrator access when a non-privileged account login will work.
XVII. Security Tools; Scanners and Intrusion Detection Systems
The state provides An Intrusion Detection System (IDS) which monitors computer systems and network traffic and analyzes that data for possible hostile attacks originating from outside the organization and also for system misuse or attacks originating from inside the enterprise. The main advantage of an IDS is that it provides a view of server and network activity and issues alerts notifying administrators of unauthorized, unusual activity. While IDS can identify that an intrusion has occurred or is in process, and it may be able to provide the intruder s IP address, the security administrator or network manager must then investigate the attack, determine how it occurred, and correct the problem. Human intervention is also required to recognize false alarms and override possible system lock out for those occasions.
When an IDS identifies an action that appears to be an intrusion attempt, the IDS
sends commands to the appropriate core device (i.e. switch, router and/or firewall) to block any traffic from the offending IP address. The District will provide a security monitoring and management framework that will enable us to capture and correlate information from the existing network devices and to provide detailed reporting in a interactive, real-time environment. This security monitoring and management framework will enable ITS to capture large volumes of data from the existing network devices ( routers, host systems, authentication servers, etc.), correlate and present it in a useful reporting format to help ITS technical staff in detecting, identifying and stopping unauthorized IT infrastructure access.
Also, ITS believes we should practice defense in depth . If we assume that major network firewall and servers can be compromised (which they can by patient and skilled hackers), then unprotected client/desktop systems behind these compromised firewalls can be usurped and used as internal launching points for attacks on the district/state network. Statistics have shown the majority of attacks come from within. Personal firewall capability on each of the client/desktop systems can significantly reduce this inside threat. Therefore, because of the threat from the inside. The district will consider an additional level of security by implementing personal firewall software on each client/desktop system on their network.
XVIII. Physical Access; Security Guidelines and Recommendations
A majority of security violations, vandalism, and even accidental acts that lead to disruption of services can be attributed to deficiencies in physical security. The guidelines below should be considered in order to maintain adequate physical security for the Long Beach School District.
Location
(1) Locate computer equipment in inconspicuous places without signs, maps, and external references.
(2) Locate network equipment away from windows or any other place that allows easy access by outside individuals.
(3) Locate network equipment and computers in places that can be environmentally controlled.
(4) Insure that network equipment is located away from heavy traffic patterns.
(5) Insure that all equipment, even PCs, can be located in rooms that can be physically secured.
(6) Locate equipment in areas to minimize the likelihood of accidents. For example, do not place equipment in rooms that contain overhead water pipes or in rooms next to large mechanical systems.
(7) Try to locate facilities in buildings that are of less risk as far as disaster potential. Buildings located in flood zones, near railroad tracks, or remote to fire departments would be at greater risk.
Access
(1) Rooms or closets that contain District and/or State Wide Area Network routers and servers must be locked at all times. This includes remote offices. The technology staff will be the only authorized party to enter these rooms.
(2) Wiring closets should be locked at all times, with technology staff only authorized to enter the closets.
(3) The district is devising a plan for all switches to be secured in a locked protected closet. While all switches are in rooms that can be locked, there are some switches in areas that are not in closets. The technology staff will be the only authorized party to enter these closets.
(4) A security system should be installed and maintained in the main server room.
(5) All users must log off the network (Novell) when they walk away form the computer. NO computer connected to the network should ever be left unattended by the user who logged into the network. All users must log off the network and shut down the computer at the end of the day.
(6) All classrooms, offices and meeting rooms, etc. that house computers must be locked and secured when the room is vacated.
Environmental and Electrical Measures
(1) Computer facilities must have fire protection. All facilities must have strategically placed hand held fire extinguishers. Fire extinguishers must be inspected yearly by the Fire Department.
(2) All facilities must deploy smoke and heat detectors.
(3) Flammable or toxic materials must not be stored near computer equipment.
(4) Electrical systems for critical computer equipment must include Uninterrupted Power Systems(UPS). Surge protectors should be considered for equipment sensitive to power fluctuations.
(5) Adequate room temperature and humidity must be maintained to the specifications of the hardware vendor.
Miscellaneous Physical Security Measures
Backup and recovery materials (tapes, manuals, etc.) should be kept at a site that meets stringent physical security measures.
XIV. Website; Privacy Statement, Disclaimer
The following is the Privacy Statement for the Long Beach website. This policy addresses collection, use, security of, and access to information that may be obtained through your use of the website. Users of said website understand and agree that in addition to this District Website Privacy Statement, each website you visit may have a unique Privacy Statement.
This notice covers the following topics:
The Long Beach School District has taken several steps to safeguard the integrity of its telecommunications and computing infrastructure, including but not limited to authentication, monitoring, auditing, and encryption. Security measures have been integrated into the design, implementation, and day-to-day practices of the entire portal operating environment. One of the key features is the use of SSL (Secure Socket Layer) for transmission of confidential information. This information should not be construed in any way as giving business, legal, or other advice, or warranting as fail proof, the security of information provided at www.lbsdk12.com.
Disclaimer
The LBSD website could provide links to other web sites. These include links to web sites operated by other government agencies, nonprofit organizations, and private businesses. When a web user links to another site, the user is no longer on the LBSD website and this Privacy Notice will not apply. When the web user links to another web site, the web user is subject to the privacy policy of that new site.
LBSD Website Contact Information
To access your Personally Identifiable Information the District collects, if any, or to request correction of factual errors in the web user’s Personally Identifiable Information or should the web user need further information on our Privacy Policy, the user should contact the Technology Coordinator.
XV. Authentication and Integrity, Digital Signature, Encryption
Authentication is simply knowing someone is who they say they are. When using resources or sending messages in a network and using the Internet, it is important that authentication ascertains that users are who they say they are.
Integrity is knowing that the data sent has not been altered along the way. Of course, a message modified in any way would be highly suspect and should be completely discounted. Message integrity is maintained with digital signatures.
A digital signature is a block of data at the end of a message which attests to the authenticity of the file. If any change is made to the file, the signature will not verify. Digital signatures perform both an authentication and message integrity function.
Encryption
Encryption is the coding of data through an algorithm or transform table into apparently unintelligible garbage. Encryption can be used on both data stored on a server or as data is communicated through a network. Encryption is a method of ensuring privacy of data and that only intended users may view the information. The District uses Novell NICI for encryption from the workstation to the server, data stored on the server and as data is communicated through a network.
XVI. Network Security Administration Procedures, Security Incident Procedures, Reporting, Preserving Evidence, Legal Action
All security violations or suspected violations must be reported to the Technology Department. The Technology Department will then work with the principal or supervisor to ensure evidence is preserved and that it is reported correctly.
The Technology Department will then:
1. Respond quickly to ensure that traces, logs, etc. are intact and available. Processing will not be stopped immediately. No files will be restored immediately.
2. Communicate via the telephone. Some intruders may be able to monitor E-mail.
3. Make copies of files that the intruder may have altered of left.
4. Make sure the perpetrator is not directly contacted.
5. Identify a primary contact to handle evidence.
6. Contact the FBI and local Law Enforcement.
It is the responsibility of all district employees and/or contractors to report suspected security violations as quickly as possible. Subsequent action, depending on the type of breach, can vary. Security breaches may be categorized as those pertaining to physical intrusions, electronic intrusions that include networks, servers, and workstations; incidents related to catastrophic disasters, and breaches as a result of deception and/or fraud. The ultimate goal, regardless of the category of incident, is the protection of district/state assets, containment of damage, and the restoration of service.
Network Security Administration Procedures
Normal logging processes should be enabled on all host and server systems.
Alarm and alert functions, as well as logging, of any firewalls and other network perimeter access control systems should be enabled.
Audit logs from the perimeter access control systems should be reviewed daily.
Audit logs for servers and hosts on the internal, protected network should be reviewed on a weekly basis.
Users should be trained to report any abnormalities in system performance to the Technology staff.
Users should notify the Technology Coordinator, Network Administrator and Superintendent of violations of the CIPA and COPPA laws. All users must abide by the CIPA and COPPA laws as stated in the Acceptable Use Policy. Violations will be reported to the proper legal authorities, such as the FBI. Everyone who knows of the violation must report it to proper enforcement authorities.
All trouble reports received by the Technology Department should be reviewed for symptoms that might indicate intrusive activity. Suspicious symptoms should be reported to the Network Administrator and Technology Coordinator.
Security Incident Reporting Directions
1. Keep a Written Log of pertinent information.
2. Notification of Incident: Inform the appropriate people. In the case of a criminal act, secure the computer and store it until the incident has been investigated and cleared.
3. Control of Information: Control all information. Release to Superintendent.
4. Follow up Analysis. All involved parties should meet and discuss the actions
5. Procedures should be evaluated and modified
Physical intrusion of secured areas
1. Notify the Building Principal and Superintendent
2. If warranted, notify the Department of Finance and Administration Law Enforcement, the Mississippi Highway Patrol and/or local police department
Catastrophic Disasters of secured areas
1. Notify the Building Principal and Superintendent
2. If warranted, notify the Department of Finance and Administration Law Enforcement, the Mississippi Highway Patrol and/or local police department.
Electronic Intrusions
1. Notify the Building Technology Coordinator, Network administrator, and Superintendent.
2. Any data captured that resulted in detecting the intrusion should be kept until the incident has been investigated and cleared.
Deception and Fraud
1. Notify the Superintendent.
2. If warranted, notify the Department of Finance and Administration Law Enforcement, and/or local police department.
Hacking Incidents
Attempts to Gain Access to a System: Incidents of this type may include repeated login attempts, repeated ftp or telnet commands, and repeated dial back attempts.
1. Identify the problem.
2. Identify the source
A. look at system log files and
B. active network connections
3. Make copies of all audit trail information:
A. system log files,
B. the root history file,
C. utmp and wtmp files, etc.
4. Log all actions.
5. Notification
A. Notify the Technology Coordinator, Network Administrator and Superintendent.
B. If warranted, notify the Department of Finance and Administration Law Enforcement, and/or local police department.
6. Complete follow-up report.
Active Hacker/Cracker Methods for incidents
The method used to handle a cracker/hacker incident should be determined by the level of understanding of the risks involved.
Method 1. Immediately lock the person out of the system and restore the system to a safe state.
Method 2. Allow the hacker/cracker to continue his probe/attack and attempt to gather information that will lead to an identification and possible criminal conviction.
1. Notify the Superintendent.
2. If warranted, notify the Department of Finance and Administration Law Enforcement, and/or local police department.
Gathering Evidence of Hacker/Cracker Incidents
Removal of Hacker/Cracker
1. Make a Snapshot of the system
2. Make copies of system log files,
3. Make copies of the root history files, etc.
4. Make a listing of all active network connections.
5. Log all actions.
Lock Out the Hacker
1. Kill all active process for the hacker/cracker
2. Remove any files or programs that he/she may have left on the system
3. Change passwords for any accounts that were accessed by the hacker/cracker.
4. Log all actions.
Restore the System
1. Restore the system to a normal stage.
2. Restore any data or files that the hacker/cracker may have modified.
3. Install patches or fixes to close any security vulnerabilities that the hacker/cracker may have exploited.
4. Document all actions in a logbook.
Report the Incident
1. Notify the Superintendent.
2. If warranted, notify the Department of Finance and Administration Law Enforcement, and/or local police department.
Follow up
1. After the investigation, a short report describing the incident and actions that were taken should be documented and distributed to the appropriate personnel.
Monitoring of Hacker/Cracker Activity
1. Make a Snapshot of the system
2. Make copies of system log files
3. Make copies of the root history files, etc.
4. Make a listing of all active network connections.
5. Record Monitoring information in a written log.
XVII. Software Procedures
1) Software, including but not limited to Internet downloads, utilities, add-ins, programs (including shareware, freeware and Internet access software), patches, upgrades, or clip-art, shall not be installed on any desktop, notebook personal computer (PC), or server by anyone other than a representative of the Long Beach School District Technology Department, without notification to the technology department via e-mail or the System Email (Notes) There are to be no games on any desktop, PC, or server at any time for any reason. All software purchased for use on ITS equipment must be approved in writing by the Technology Department. The district’s network contains software which performs an inventory of each PC on a regular basis to ensure compliance with this rule.
2) Software owned or licensed by the Long Beach School District may not be copied to alternate media, distributed by e-mail, transmitted electronically, or used in its original form on other than district owned computers without express written permission from the Technology Department.. In no case is the license agreement or copyright to be violated.
3) Software licensed to the Long Beach School System is to be used for its intended purpose according to the license agreement. Employees are responsible for using software in a manner consistent with the licensing agreements of the manufacturer. License agreements are maintained by the Technology Department.
4) All software installed on LBSD computers must be owned by the LBSD.
5) All software purchased by the Long Beach School District must be installed on District-owned equipment, and may not be taken offsite without permission from the technology department.
5). No district owned software may be installed on a computer not owned by the District unless the license agreement specifically allows it.
6.) There must be a separate software license for each computer unless a site license is purchased. Users may not purchase one software program or CD and install it on additional computers, such as every computer in the room.
XVIII. Hardware Procedures
1) All PCs, workstations, printers, add-in cards, memory modules, and other associated equipment are the property of the Long Beach School District and should not be used for purposes other than business. No changes, modifications, or additions, or equipment removals may be done without written notification to the Technology Department and fixed asset manager.. No information systems equipment should be removed from the district, with the exception of documented Superintendent approval for equipment to be used for daily offsite work by a named, specific staff member.
In the event equipment is to be off premises for some time, the employee responsible for the equipment must file a written hand receipt with the Fixed Asset Director.
3) All computers connected to the LBSD network must be owned by the LBSD/State and must be on the fixed asset inventory.
4) A standard platform is established for district computers and equipment. Approved non-standard hardware is only to be used when the standard hardware is unavailable.
5) All hardware purchased by the Long Beach School District must be installed on District-owned equipment.
6) In order for effective software and network functioning, modern up-to-date computers, servers, routers, switches, etc. must be provided by the District.
XIV. Practices for Network Use:
1) No materials are to be disseminated in any manner which are derogatory to any person or group, obscene, racist, sexist, harassing or offensive based on color, religion, creed, national origin, age or disability.
2) System identification codes and passwords are for the use of the specifically assigned user and are to be protected from abuse and/or use by unauthorized individuals.
3) All diskettes, e-mail attachments and executable e-mail messages are automatically scanned for viruses using the virus detection software installed on all computer workstations. If you have made any configuration changes to your workstation, even with the approval of the Technology Department, it is your responsibility to ensure virus protection prior to opening/executing diskettes, e-mail attachments
or executable e-mail messages.
4) Like all ITS information systems resources, Internet access and e-mail are for work-related use. Access and sites visited can and will be monitored at the specific individual level.
5) Employees may not use ITS information systems resources for soliciting, personal financial gain, partisan political activities or further disseminating junk e-mail such as chain letters.
6) Information contained on the district’s network and workstations is strictly proprietary to the Long Beach School District or State of Mississippi. All data stored on LBSD computers and/or servers are the property of the Long Beach School system. Copying or disseminating any of this information for any purpose other than district business is strictly prohibited. Access to this information must be considered confidential.
7) Users are expected to report violations of this policy which the user observes to the technology coordinator, network administrator or supervisor or, in the event that the violation involves the supervisor, the Superintendent of Education.. Likewise, if you are a witness to a violation you are required to cooperate in any investigation of the violation. All incidents and actions should be documented.
Consequences:
Any user who knowingly and willingly violates this policy is subject to discipline up to and including termination from employment, or expulsion from school, depending on the severity of the specific offense(s). Furthermore, in the event of an illegal activity, the user will also be reported to the appropriate law enforcement authority. If you have any questions regarding this policy or any situation not specifically addressed in this policy, see your supervisor or the Long Beach Superintendent of Education.
XV. Revision of Security Policy:
This policy is subject to revision. The district will adequately post revisions, but it is the user’s responsibility to ensure that use of the computing and communication resources conforms to current policy.