Information SecurityFrameworkfor Education
Birth-12
Drafted bytheEducationInformation SecurityCommittee,Information SecurityFramework
Workgroup
WorkgroupMembers: Rick Wahlstrom (NWRESD, chair),AmyMcLaughlin (ODE), NickLapp (IMESD), Benjamin Tate(Salem-Keizer SD), John Goucher(Hillsboro SD),LanceQueen (Crook CountySD)
Security Components
I.RiskManagement
Risk Management is the process of identifying, assessing, and takingstepsto reducerisk to an
acceptablelevelforinformation systems and data.Risk management is critical for<district nameto successfullyimplement and maintain asecureenvironment. Risk assessments identify, quantify,and prioritize risksagainstcriteriaestablished bythe district for risk acceptanceand objectives. Assessment results guide and determine appropriate district action and priorities for managinginformation securityrisks and for implementingcontrols neededto protect information assets.
Risk assessments (RAs) can beconducted onanyentitywithin district or anyoutside entitythat has signedathird partyagreement with an outsidecompany. RAs can be conducted on any information system includingapplications, servers, and networks, andanyprocess or procedure bywhich thesesystems areadministeredand/or maintained.
The role ofInformationSecurityOfficer (ISO) can bedesignated orhis orher responsibilities assigned toan existingindividual. TheISO is responsible forleadingand or facilitatingthe Information SecurityRisk Assessment Team.
Theidentification ofinformation securityrisksand notification oftheISOis the responsibilityof alldistrict personnel. The execution, development, and implementation of remediation programs arethe jointresponsibilityoftheISO and the department responsible fortheprocess or systems with theidentified risk.District staff are expected to cooperatefullywith anyRA being conducted on systems forwhich theyareheld accountable.Staff are furtherexpected to work with theInformation SecurityRisk Assessment Team in the developmentofa remediation plan.
Risk management can include the followingstepsas part of arisk assessment:
1. Identifythe risks
a. Identifyagencyassets and the associated information owners
b. Identifythe threats to those assets
c. Identifythe vulnerabilities that might be exploited bythe threats
d. Identifythe impacts thatlosses of confidentiality,integrityandavailabilitymay haveon the assets
2. Analyzeand evaluate therisks
a. Assess thebusiness impacts on the district that might result from securityfailures, takinginto account theconsequences of alossofconfidentiality, integrityor availabilityof thoseassets
b. Assess the realisticlikelihood ofsecurityfailuresoccurringin thelight of prevailingthreats and vulnerabilities, and impactsassociated with theseassets, and the controls currentlyimplemented
c. Estimatethe level of risks
d. Determinewhethertherisks areacceptable
3. Identifyand evaluateoptions forthe treatment ofrisk
a. Applyappropriatecontrols
b. Accept therisks
c. Avoid the risks
d. Transfer the associated business risks to otherparties (students, personnel,etc.)
4. Select control objectivesand controls forthe treatment of risks
II.SecurityPolicy
Theobjectiveofan information securitypolicyisto providemanagement direction and support
forinformation securityin accordancewith<district namebusiness requirements and governinglaws andregulations.Information securityadministrative rules supportingthe overarchinginformationsecuritypolicywillbe approved bythe district, published and communicated to allemployees, students, and external parties asappropriate. These rules willset<district name’s approach to managinginformation securityand willalignwith relevant
federal and stateregulations and laws.
Information securityrules willbe reviewedat planned intervals annuallyor ifsignificant changes occurto ensuretheircontinuingsuitability, adequacy,and effectiveness. Reviews willinclude assessingopportunitiesforimprovement of <district name’s information securitypolicies and approach to managinginformation securityin responseto changes to<district name’s environment, newthreatsand risks, business circumstances, legal and policyimplications, and technical environment.
III.OrganizationofInformation Security andPrivacy
Information securityis proactivelymanaged at<district nameManagement approves
information securityprocedures, assigns securityroles, and coordinates andreviews the implementationofsecurityacross the (school/district/ESD).
Information securityrequires coordination andcommunication throughoutthedistrict. This includes ensuringstaff and teachers fullyunderstand their roles andresponsibilities in maintaininginformationsecurityand privacystandards. Information securityresponsibilities mustbe clearlydefined and communicated to staffthrougheasyto locate
procedures/training/administrative rules.
Keyresponsibilities in information securityand privacyareidentified andassigned to specific personnel. In most cases, these responsibilities areapart of an individual’s position, not a separateposition. Keyresponsibilities include:
●Primarypointof contactforInformation Security (Information SecurityOfficer)
●Primarypointof contactfor FERPA PrivacyCompliance
●Primarypointof contactforInformation Security Incident Response
●Primarypointof contactforsecurityadministration
IV.Asset Management
Asset Management is the processoftrackingandreportingthe value and ownership ofinformation assets. Information asset management is essential in order to provide reliableand secureservices.Information assets include:
Information- the data itself whether stored on paper or electronically
Databases
Paper filingsystems
Information technologysystems used to storeandprocess valued information
Districts have an obligation to maximizethe securityand efficiencyof asset tracking and utilization. An accurate inventoryofinformationand information systems allows districts to better define and controlthe components of theinfrastructure and services provided. Asset trackingalso enables districts to leverage configuration management tools andpractices, as well as plan for futureasset needs bydeterminingavailabilityof equipment. Accuracyis a keygoal in all aspects of Asset Management.
Districts should establish a baselineeffort to establish an asset managementdatabase. All assets, as defined below, should betracked in an asset management database,processes should be put in placeto maintain thevalidityand accuracyof thedata and annual reviewsshould be conducted
to verifythe data.
Oncethe baselinehas been established,districts should undertakeprocessdevelopment as part of theirnext steps. Processes can coveravarietyofareas, but should at least establish steps forthe followingareas:
1. Asset Ordering
2. Asset Receivingand Check-in
3. Asset Requests
4. Asset QA
5. Asset Decommission
6. Asset Surplus/Trade-In
Additionally, standards should be developed for the following areas:
1. Asset Shippingand Receiving
2. Asset Storage
3. Asset Tagging
4. Asset Tracking
5. Asset Reporting
V. HumanResources Security
All employees, volunteers, contractors,and third partyusers of<district nameinformation andinformation assets will understand theirresponsibilities and willbedeemed suitable forthe roles theyare consideredfortoreducethe risk of theft,fraud, ormisuse ofinformation. Security responsibilities will be addressed prior toemployment in position descriptions and any associated termsand conditions of employment.Whereappropriate, all candidates for employment, volunteerwork, contractors, and third partyusers willbe adequatelyscreened, especiallyforroles that requireaccess to sensitiveinformation. Management is responsible for ensuringsecurityis considered duringhiringand throughout theindividual’s employment with the district.
Thedistrict intends to ensurethat personsemployed byor contractingwith thedistrict havenot engaged in anycriminalbehavior that is incompatiblewith their duties and responsibilities with regard toaccess and handlingof protected information, and the mission of theagency. To achievethisgoal, thedistrict includes noticein hiringannouncements that abackgroundcheckwillbe conducted on potential candidates. Asa condition of employment, applicants applyingfor positions must sign an authorization form allowingthe district to conduct acriminal background check. Thedistrict conducts criminal backgroundchecks on allprospectiveemployees, directhiretemporaryappointments, and external transfer employees. TheHumanResources department will ensurethat external contractors have completed criminal background checks on allcontractorsassigned to work atthe district.Information securityrequirements areincluded in the position descriptions of theInformation SecurityOfficer.
All new employees andtemporaryemployees receive trainingon the district’sInformation Securityprogram andarecoveredandrequired tosign relevant securitydocuments. All employees and contractors participate in securityawareness trainingannually, at which timethey also sign allapplicable securitypolicies.
Securitytraining, includes, but is not limited to, trainingon securitypolicies andprocedures, FERPA and HIPAA, individual preventative securitysteps, as wellas information onIT security that educates theuser to thedangersat workand at home.
Procedureswillbeimplemented to ensurethatanemployee, volunteer,contractor, orthird party’s exitfrom the district is managed, and thereturn of allequipment andremoval of all access rightsare completed.
VI.Physical andEnvironmental Security
Thepurpose of physicaland environment securityis to prevent unauthorized physicalaccess,damage, theft,compromise, and interferencetodistrict nameinformation and facilities. Locations housingcritical or sensitive information or information assets will be secured with appropriate securitybarriers and entrycontrols. Theywillbephysicallyprotected from unauthorized access, damage, and interference. Secureareas willbeprotected byappropriate securityentrycontrols to ensurethat onlyauthorized personnelare allowedaccess.
All equipment containing storagemediawillbechecked to ensurethat anysensitive data and licensedsoftwarehas been removed orsecurelyoverwritten prior to disposal.
Formoreinformation onphysicaland environmental securitypleaseseethefollowingsample documents:
●BuildingSecurityPolicy
●Visitor Policy
●Workstation SecurityPolicy(
●MDF/IDFSecurityPolicy
○Authorized personnel only
○Keylock at minimum, keypadwith loggingrecommended
●Sustainable Acquisition and Disposal ofElectronicEquipment– StatewidePolicy107-
009-0050 (
●MDF/IDFEnvironmentGuidelines
○Water/fire avoidance
○Windowless rooms
○Temperature controlledrooms
○Steadypower supplywith UPSdevices in place
●Data Backup Policy
○Backupfrequency
○Offsite backups
VII. Communications andOperations Management
To ensurethecorrect andsecureoperation ofinformation processing facilities, responsibilitiesand procedures for themanagementand operation ofallinformation processingfacilities should be established.This includes the development ofappropriate operatingprocedures. Segregation ofduties should beimplemented, where appropriate, to reducethe risk of negligent or deliberate system misuse.
OPERATIONALPROCEDURES ANDRESPONSIBILITIES Documented operatingprocedures
Changemanagement
Segregation ofduties
Separation ofdevelopment, test, and operational facilities
THIRD PARTY SERVICE DELIVERY MANAGEMENT
Servicedeliverymonitoringandreviewof third partyservices Managingchanges to third partyservices
SYSTEM PLANNINGAND ACCEPTANCE Capacitymanagement
System acceptance
PROTECTIONAGAINST MALICIOUS ANDMOBILE CODE
Controls againstmalicious code
Controls againstmobilecode
BACK-UP
Information back-up
NETWORK SECURITYMANAGEMENT Network controls
Securityof networkservices
MEDIA HANDLING
Management ofremovable media
Disposal ofmedia
Information handlingprocedures
Securityof system documentation
EXCHANGE OFINFORMATION
Information exchangepolicies and procedures
Exchange agreements Physical media in transit Electronicmessaging Business information systems
ELECTRONIC COMMERCE SERVICES Electronic commerce
On-LineTransactions
Publiclyavailable information
MONITORING Audit logging Monitoringsystem use
Protection ofloginformation Administrator and operator logs Faultlogging
Clock synchronization
VIII.Access Control
Access to information, information systems, information processing facilities, andbusinessprocesses will becontrolledon the basisof business and securityrequirements. Formal procedures willbedeveloped and implemented tocontrol access rights to information, information systems, andservices to prevent unauthorized access. Users will be made awareof theirresponsibilities formaintainingeffectiveaccess controls, particularlyregardingthe useof passwords. Thedistrict system accessrules enforces the expectation that users haveindividually assigned user names andusers understand that theyareheldaccountable for actions taken with theirusernameand password. Userswillbemade awareof their responsibilities to ensure unattended equipment has appropriateprotection.
A clear desk ruleforpapers and removablestoragedevicesand a clear screen ruleisstrongly recommendedespeciallyin work areas accessible bystudents, parents, or thepublic. Steps will betaken to restrict accessto operatingsystems to authorized users. Protection willbe required commensurate with the risks when usingmobile computingandteleworkingfacilities. <district nameinsuresappropriate password policies, auto-lockingof systems and otherPC securitypolicies byuse ofthe district’s DirectoryGroup Policyand onlythedistrict’s domain administrators havetheabilityto changegrouppolicy. Theprocedures foraccess to systems vary dependingon the typeofaccess and howthat access is facilitated.
Anyusers requiringlocaladministrator access to server systems must fill outan insertyour form namehere.All employees willreceive trainingon the useof passwords, when systems are to be locked or timed out, how thedifferent levelsofinformation securitydetermines how information assets arehandled, and whenand how information will be transported and disposed of. All users requiring remote access to thedistrict’snetworkto work remotelyarerequired tofill out and submit formanagementapproval.
Thedistrict’s System DevelopmentLifecycle (SDLC) and its End-User Development standards defineresponsibilities for ensuring appropriate controls areprogrammed accordingto business needs and information securityrequirements.
IX.Information SystemAcquisition, Development, andMaintenance
In order to ensuredata and softwareintegrity,confidentiality, and availability, allnew systems(off-the-shelforcustombuilt) mustbedesignedwith securityin mind. This is most effective when securityis plannedand implemented throughout the entirelifecycle. Access to system files and program sourcecodewillbe controlledand information technologyprojects and support activities conducted in asecuremanner. Technical vulnerabilitymanagement willbe implemented with measurements taken to confirmeffectiveness.
Districts should undertakethe followinginitiatives as abaselineto secureinformation system acquisition, maintenance,and development.
Encryption -Encryptionshould beused, where appropriate, to protect sensitive information at rest and in transit. Allremote access should beencryptedand secured (i.e. VPN tunnel). Remote access should onlybegranted when an establishedbusiness need exists.
Network and System Monitoring-Procedures should be in placeto monitor and review network and information technologysystems. District Networkand Securityteams should maintain and reviewvarious securityand accessreports regularlytoensurethe securityof network and information technologysystems. Someof thesystems districts can employto verifyand maintainITsecurityincludeSNORT, NESSUS, TrackingSystem Access (TSA), and Nagios. Thesesystems can beusedto determine if an inappropriate access has been attempted and to prevent unauthorized access to systems and data. Anycontrols deployed should bebased on arisk analysis.
Data Access Review-Access to data should alsobe reviewed. A system like TSA should be usedto captureemployeeaccess to sensitive data.Thesystem provides processes that can beusedbymultiple applications to storetrackingactivitydata. Additionally, this system provides aprocess toarchive thedata.
Information System Acquisition and Development-Whereadistrict is involved in the purchaseof applicationsorthe customdevelopment or adoption of applications to support theirbusiness processes itis stronglyrecommended that theyadhereto theproject management proceduresidentified in theProject ManagementBodyof Knowledge (PEMBOK)and includeinformation securitythroughout thedevelopmentand/or procurement cyclefrom requirementsgatheringthrough implementation. Each information system hasan identifiedowner andeach information system acquisition ordevelopment project has an identifiedsponsor. Each system that is developed should have clearlydefined access needs, user authorization needs, separationofduties, and accountabilitycontrols,
MaintenanceofInformation Systems-Information systems requireongoingmaintenanceto remain both operational and secure. Maintenancechanges to applications, middleware, and hardwareshould bereviewed and approved to ensure allrisk and impact(both to the application and alldownstream resources)are fullyunderstood.
Oncethe baseline concepts havebeenestablishedinto the softwaredevelopment life-cycle, additional goals should be established.Thesegoals should occur at each stageof thelife-cycle. Specificgoals foreach stageshould be:
ProjectInitiation
Definesensitivityof information involved
Definecriticalityof system
Definesecurityrisks
Definelevel of protection needed
Defineregulatory/legal/privacyissues
Functional Design
Determineacceptablelevel of risk
Identifysecurityrequirements and controls
Design Specification
Design securitycontrols
Reviewdesigns
SoftwareDevelopment
Document securityissuesand controls
Test code as itdevelops
Release and Maintain Reviewtests Certifysystem
Constantlyassess securityposition
X. Information Security Incident Management
An information securityorprivacyincident is a single, orseries of, unwanted or unexpectedinformation securityevents that resultin harm, or poseasignificant threatofharm to information assets, protected studentdata, orthe organization’s infrastructure. Examples of information securityor privacyincidentsinclude:
●Anyincident relevant to the OregonIdentityTheftProtection Act
●Anyincident relevant to FERPA
●Anyincident relevant to the HealthInsurancePortabilityand AccountabilityAct
(HIPAA)
●Lost or stolen documents containingsensitiveinformation
●Conversation containing sensitive information overheard byunauthorized person who discloses theinformation to the public
●A virus or worm has become wide spread
●A keystrokelogger has infectedaworkstation used to enter sensitive information
●Web site defaced
●Unauthorized access to information wasgained
●Anykind of sabotagethat effects information
●Denial ofservice attacks.
Thedistrictwillidentifyand document capabilities to respond to information securityandprivacyincidents involvinginformation in anyform whether electronic, data, paper or verbal. At aminimum a basic incident response plan includes:
●Primarypointof contactand backup for an information securityincident.
●Identification of additional resources (district personnel, ESD personnel, ODE personnel)
●Process forreportingandrespondingtoaninformation securityincident
●Policedepartment contact if theincident is criminal in nature
●Primarypointof contactforinformation securityand privacyincidents
●Backup pointof contact forinformationsecurityand privacyincidents
●Other information securityand privacyincident resources
The followingis a basicprocess for identifying and respondingtoan information securityor privacyincident:
1. Identifythe event
2. Has protected data been lost, exposed, or disclosed? Ifyes,what type?
a. FERPA protected studentdata
b. Personally IdentifiableInformation as defined in theOregonIdentityTheft
Protection Act
3. Is the organization at risk of continuingto lose data?
4. Identify, document andexecute steps to re-mediatethe problem
5. Contact anyof the followingas necessary:
a. Oregon Department of Education b. Police
c. OregonDepartment of Consumer andBusiness Services (for losses involvingdata protected under theOregonIdentityTheft Protection Act)
d. Other schools, districts, ESDs that maybeexperiencingthe sameissue
e. Others as necessary
6. Oncethe incident is resolved, conduct a lessons learned exercise to preventrepetition.
XI.Business Continuity Management
Thepurpose of business continuitymanagement is to counteract interruptions to businessactivities and toprotect critical business processesfrom the effects of major failures of information systems or disasters andto ensuretheir timelyresumption. A business continuity management process will be establishedto minimizethe impact on thedistrict and recover from lossof information assets to an acceptablelevel througha combination ofpreventive and recoverycontrols. A managed process will be developed and maintainedfor business continuity throughout theagencythat addresses theinformation securityrequirements needed for the district’s business continuity.
Templates and examplesofhow to develop a district business continuityplan are availableat
Formoreinformation about the district’s businesscontinuityplan (BCP) please contact thedistrict superintendent’soffice.
XII. Compliance
Thedesign, operation, use, and management ofinformation and information assets aresubjecttostatutory, regulatory, andcontractual securityrequirements. Compliancewith legal requirements is necessarytoavoid breaches of law, statutory, regulatoryor contractualobligations, and ofany securityrequirements. Legal requirements include, but arenot limited to:statestatutes, federal statutes and regulations,contractualagreements, intellectual propertyrights, copyrights,and protection and privacyofpersonal information.
The following federal and state statutes and regulations apply:
Federal Regulations
●FERPA
●CIPA
●COPPA
●HIPPA
OregonRevised Statutes (ORS) References
●ORS326.565 Standards forstudent records; rules
●ORS326.575 Records when student transfers oris placed elsewhere; noticeto parents;amendments to records; rules
●ORS336.187 When school authorized to disclose information about student;immunityofrecipient
●ORS343.045 Criteria fordevelopment and operation ofspecial programs; rules
●ORS343.155 Proceduresto protect rights of childwith disability; rules; content of rules
OregonAdministrativeRules (OAR) References
●581-021-0250 AnEducational AgencyorInstitution's PolicyRegardingStudentEducation Records
●581-021-0265 Confidentialityof Student Education Records
●581-021-0270 Rights ofInspection and Review ofEducation Records
●581-021-0330 PriorConsent to DiscloseInformation
●581-021-0340 Exceptions to PriorConsent
●581-021-0360 Conditions forthe DisclosureofInformation to Other EducationalAgencies orInstitutions
●581-021-0370 Conditions forthe DisclosureofInformation forFederal orStateProgram Purposes
●581-021-0371 Conditions forDisclosureofInformation to Complywith JudicialOrder or Subpoena
●581-021-0372 Conditions forthe DisclosureofInformation WhenLegal ActionInitiated
●581-021-0380 Conditions for theDisclosureofInformation in Health andSafetyEmergencies
●581-021-0390 Conditions forthe Disclosureof Directory Information
●581-021-0391 Conditions forthe DisclosureofInformation to JuvenileJusticeAgencies
●581-021-0400 RecordkeepingRequirements
●581-021-0430 TheDistribution ofRules Relating to Student Records
Reference(links to webpages)
Communications and Operations ManagementISO_IEC_27002-2005.pdf
Workstation SecurityPolicy(
Sustainable Acquisition and Disposal of ElectronicEquipment– StatewidePolicy107-
009-0050 (
Business ContinuityPlans,
DistrictPolicies– to bedeveloped inseparate document
DistrictAdministrativeRules– to be developedin separate document
Definitions
Asset-Anyresourcethatcould contributeto thedeliveryof aservicethat is racked via an asset tagandreportedon annuallyforvalue.
Entity -Anybusiness unit, department, group, orthird party, internal orexternal to the district, responsible formaintainingdistrict assets.
Risk-Those factors that could affect confidentiality, availability, and integrityof the district's keyinformation assets and systems.InfoSecis responsible forensuringthe integrity, confidentiality,and availabilityof critical information and computingassets, while minimizingthe impact of securityprocedures andpolicies upon business productivity.