Data Loss Prevention Plan
For the
Gilchrist County School District
By Aaron Wiley
Director of Instructional Technology
Table of Contents
1. Plan Scope and Goals.
a. Gilchrist County Schools
b. NEFEC
2. Identification of Data Types.
a. Student Data Types
b. Employee Data Types
c. Financial Data Types
d. Administrative Data Types
3. Identification of Data Locations.
a. Local Servers
b. NEFEC
c. Vendors
4. Strategies for Loss Prevention.
a. Communication
b. Education of Staff
c. Access Control
d. Backup and Restore
5. Summary
1. Plan Scope and Goals
a. Gilchrist County Schools.
The Gilchrist County School District consists of four schools, the transportation office, and the district office. These sites house approximately 2700 students, 200 faculty members, 75 support staff, and 25 administrators. This plan will address the security of the data generated by this population, with the exception of data identified as being the responsibility of our consortium, NEFEC.
As it is the nature of technology to change rapidly, this document should be reviewed and updated regularly in order to properly address new conditions and threats. It is the goal of this document to provide guidelines for the reduction and prevention of data loss both accidental and intentional.
b. NEFEC
NEFEC (North East Florida Educational Consortium) is the educational consortium for 13 small and rural school districts in north Florida. In being our consortium, NEFEC houses data systems that would be to expensive for a small district to run on their own. In doing so, they are caretakers of a large part of our most sensitive data; student grades, finance, and Human Resource. NEFEC is in the process of updating their DLP at this time.
2. Identification of Data Types
a. Student Data Types
Student Data can be broken down into three subgroups according to where the data is housed.
1. Housed at NEFEC:
Student Gradebook data includes assignment grades, period grades, teacher notes and comments, demographic information, and discipline.
Student Information System data includes personal information with home phone numbers, addresses, parental information, housing status, and other demographic information.
Student Test Scores and FCAT data are housed within the NAV Plus program.
2. Housed within the district:
Student data in the form of program progress and
assignment scores in locally installed programs such as Compass Odyssey and FCAT TestMaker.
3. Housed with vendors:
Student data in the form of program progress
and assignment scores in online systems including Renaissance Place (AR,AM,SR,SM), Successmaker, Reading A-Z, Connect-Ed, FCAT Explorer, Pearson-Math, Kurzweil, and Reading Plus.
b. Employee Data Types.
Employee Data is housed mostly in Skyward at NEFEC and is therefore secure and off-site. Local employee data is mainly anecdotal. There are no employee information databases housed locally. Employment applications are also stored online through a contract service.
c. Financial Data Types
Skyward is the program used for financial data including Payroll, accounts receivable and payable, requisitions, and purchase orders. Skyward is housed at and maintained by NEFEC. Any local financial information is anecdotal. There is no financial database housed locally.
d. Administrative Data Types
Administrative data would include recordings and transcriptions of board meetings, administrator created documents and memos, all email and email archives. Training and professional development information would also be considered Administrative Data. All this is housed locally.
3. Identification of Data Locations.
a. Local Servers.
GCSDMAIL – Current mail server (MS Exchange) holds all district mailboxes.
GCSD15339 – THS & TES home drives for teachers and administrators. Exchange backups, mail archive.
GCSTD15329 – Child Care Manager for TES & BES VPK.
Secure Data Folder (used for pushing student data back and forth across the district securely)
GCSTD15440 – Food Service/ MIS secretary shared document folder.
GCSTD15282 – FCAT Test Maker.
San_Master – School Board Archives, Exchange Backups.
GCSDTComp – TES Compass student progress/assessments
GCSB14188HPSRV – Student progress/assessment.
BELLAPPS – Secure Lesson Plan folders, Secure Admin folders
BELLAPPS3 – Backups of BELLAPS, student security videos
BELLAPPS2 – Behavior classification database.
GCSDBCOMP – BES student progress/assessments
b. NEFEC
Skyward is our main information system. It is the program used for student information, including; grades, demographic, and assessment. Skyward is also our financial, HR, and Payroll. The Skyward program is housed at NEFEC in Palatka, Florida, and is connected to by secure web and remote terminal sessions. The Skyward program and databases are covered by NEFEC’s Data Loss Prevention Plan and Disaster Recovery Plan.
c. Vendors
Pearson – Houses SuccessMaker and other student assessment programs. Covered by contract.
Mcgraw-Hill – Houses Connect-ed and other student assessment programs. Covered by contract.
Scholastic – Houses Read180 and other student assessment programs. Covered by contract.
Renaissance Learning – Houses AR, AM, and other student assessment programs. Covered by contract.
Taylor Associates – Reading Plus and other student assessment programs. Covered by contract.
All vendor housed programs are accessed by secure (HTTPS) web connection and data uploads are made through secure FTP or HTTPS. All vendors are responsible for the maintenance and security of their databases. Non-disclosure agreements are filed with MIS before any data is shipped.
4. Strategies for Loss Prevention.
a. Communication.
In order to facilitate Data loss Prevention, the first step is to identify and document that process of identification so it may be referenced if needed to apply to new data. By delineating the standards for identifying and securing Student, Employee, Financial, and Administrative data it allows continued monitoring and action on new information.
b. Education of Staff.
All staff must be instructed on the identification of sensitive data and how to secure such data. All new employees with access to any data are required to participate in an orientation meeting with the directors of MIS and IT where data types are discussed and proper security protocols are introduced. The directors also will answer any questions and reinforce the idea that they are available to answer questions in the future. District and School administrators will include Data Security information in faculty and departmental meeting as related to topics of discussion in such meetings. It is the responsibility of the IT director to monitor that this training is kept current and in compliance with best practices.
c. Access Control.
1. Phsycal Access/Environmental Control
All systems the hold sensitive data locally will be housed in secure locations. These locations shall be locked at all times with keyed access to authorized personnel only. No cleaning services will be allowed unsupervised access to such areas. Necessary non-technology access (fire inspection, pest control, etc.) will be with escort only. Areas with these systems must be provided with adequate environmental control as well as appropriate fire equipment.
2. Network access
Network access will be controlled through the use of appropriate account and password policies. The minimal amount of access rights will be granted to any individual user, or group of users, that is needed to perform their daily functions. Special access will be granted only on an as-needed basis and for limited time span. Continued monitoring of network access through wireless means will be maintained to prevent possible network attack through unauthorized wireless connections.
d. Backup and Restore
Backups shall be maintained for all data that is housed properly on the network and configured by the IT staff. Backups will be configured to run at appropriate times and at regular intervals. Care should be given to avoid overlapping times and destinations so as to facilitate smooth network operation. Restores will need to be tested to make sure that the data can be recovered in case of disaster.
5. Summary
In summary, all data on the network is important to the person who generated it and should be secured and backed up properly. But some data is more sensitive and must have special care taken to ensure that it is kept safe and can be recovered if the unexpected happens.