Applies to ALL computers connecting to the district network.
In support of efforts to protect key District information assets, manage risk, and ensure regulatory compliance, Information Technology is overseeing development of information system security policies, standards, and procedures.
Access to Sensitive Data requires prior authorization. Processes must be in place for the authorization, establishment, review, modification and removal of access to Sensitive Data.
Active Directory Policy
All District owned or operated computers that are compatible with MS Active Directory (AD) and connected to the District network must join Active Directory.
Activity (Log) Review Policy
For all information system resources which contain or access data classified as “Sensitive” per the data classification standard, processes must be in place to ensure the access and activity is recorded and reviewed (audited).
All computers must have an approved, functioning, and up to date antivirus software. Antivirus software must be set to auto update virus definitions daily. One mandatory full computer scan is performed every Thursday. Antivirus software for district owned devices is available for download.
Business Associate Contracts Policy
The District may permit a business associate to create, receive, maintain, or transmit sensitive data on the behalf of the District only if it obtains satisfactory assurances the business associate will appropriately safeguard the information.
Business Unit Security Roles and Responsibilities Policy
It is essential that District Business Units be aware of information security risks and their roles and responsibilities for mitigating these risks.
Compliance Sanctions Policy
The District will impose appropriate sanctions for non-compliance with its information system policies, procedures, and standards.
Computer Logoff/Lock Policy
When leaving a computer, server, personal digital assistant, or other computing device unattended, workforce members must manually logoff or lock the device to prevent unauthorized access to District systems or information.
All computing devices that contain or access sensitive information must be secured with either a password-protected screen saver or automatic logoff that will take effect after no more than 15 minutes of inactivity.
Desktop Computer Security Policies
Digital Copyright Policy
The copying, storing, and/or providing transport of digital material in a manner which violates the copyright associated with the digital material on or through the use of any District Information System Resources is strictly prohibited.
Electronic Data Disposal Policy
All District information systems and electronic media must be disposed properly when no longer needed or before reuse. Disposal must meet the OU Electronic Disposal and Reuse Standard.
Facility Security Policy
The District must establish procedures to protect sensitive information system resources and data from unauthorized physical access, tampering, and theft.
HIPAA Privacy Policies
Information System and Data Classification Policy
Information Systems (IS) are assets of Sumter School District and must be classified and protected according to the sensitivity and associated risks to the confidentiality, integrity, and availability of the system. IS Owners must identify all IS and follow the classification requirements in the policy.
Information Technology Policy Definitions
Login Banner Policy
The following banner must be displayed when users connect to SSD computer networks:
Monitoring Computer Use Policy
While the District does not routinely monitor individual usage of its computing resources, the normal operation and maintenance of the District’s computing resources require the backup and caching of data and communications, the logging of activity, the monitoring of general usage patterns, and other such activities that are necessary for providing service.
Monthly Maintenance Schedule
Monthly Maintenance Plan
Password Management Policy
The District must implement a formal documented process for the appropriate creation, modification, and safeguard of information system passwords.
Passwords must meet complexity requirements, be kept private and changed every six months
Patches: Security patches should be installed within 48 hours of release.
Payment Card Industry Data Security Standard: The purpose is to provide the requirements for meeting the PCI DSS and the protection of District information and information system resources that store, process or transmit cardholder data.
Peer-to-Peer (P2P) File Sharing Policy: Peer-to-Peer (P2P) file sharing is permitted only if formally approved and authorized. Use of P2P file sharing for District academic, research or clinical purposes that does not violate the law or District policy or compromise network integrity or security may be permitted only with approval by technology administration. A registration process for requesting use of P2P file sharing will be maintained on the District’s web site.
Policy for Mass Communications
Portable Computing Device (PCD) Security Policy
PCD includes but is not limited to laptops, notebook computers, tablet PCs, smart phones, thumb drives and external media such as CDs or DVDs.
All PCDs, irrespective of device ownership, that connect to non-public District information resources must follow District policies and standards for the security of these resources. This includes PCDs that access District email systems.
PCDs used for District business must be encrypted to protect data from unauthorized disclosure if the device is lost or stolen.
Product Review Policy
The purpose of this policy is to establish requirements for reviewing Information Systems (IS) to identify risks and recommend appropriate
security controls to mitigate identified risks to an acceptable and reasonable level. IS will also be reviewed to determine if it is compatible with existing District technology infrastructure.
Please see the Product Review page for more information..
Resource and Data Recovery Policy
Information System Resource and Data Owners must ensure all Sensitive Information System Resources and Data are identified and covered by recovery plans and procedures to ensure business continuity and the ability to restore any loss of Sensitive Information System Resources and Data.
Risk Assessment and Control Review Policy
All information system resources must undergo a formal assessment process to properly identify risks and determine appropriate responses and controls.
All information system resources receiving, storing and/or transmitting Sensitive data must have a product review completed by Information Technology. The Product Review process will provide the requesting department with an overview of potential technology risks to Sensitive data within the OUHSC environment.
Please see the Product Review page for more information..
Risk Management Policy: The Risk Managment policy is currently under revision. Please contact Information Security if you have questions about risk management.
Server Consolidation Policy
Servers or data classified as Category A or Category B Information Systems (IS) must be consolidated into the District’s designated enterprise data centers.
South Carolina Internet and Network Use policies
Security Awareness and Training Policy
The District must implement a security awareness and training program for all faculty, staff and students.
Security Incident Reporting Policy
Compromised or virus infected computers must have their District network connection disabled to prevent spread of infection or illegal activities. (more information)
Security Incident Response Policy
Information Technology, has the authority to initiate investigations of all incidents related to possible breaches of security or exposure of sensitive information on information technology assets. Such investigations will be conducted by Information Technology in connection with appropriate District officials.
System Development Security Policy
All information system resources which store, receive or transmit Sensitive Data must have security reviews conducted throughout its system development life cycle (SDLC).
Third Party E-mail Policy
All faculty, staff, students, and volunteers must take the online security training once a year. See the Information Security Training Education and Awareness site for additional course offerings.
Transmission of Sensitive Data Policy
Data and Resource Owners must appropriately protect Sensitive Data from unauthorized interception, modification, or access during electronic transmission.
Transportation of Media Policy
Data and Information System Resource Owners must govern the receipt, transfer and removal of electronic media which contain Sensitive Data.
Virus Response Policies
Vulnerability Assessment Policy
The operating system or environment for all information system resources must undergo a regular vulnerability assessment.
Workstation Use and Security Policy
Procedures must be in place to ensure all District workstations are classified based on allowable capabilities and activities and secured accordingly in order to protect the confidentiality, integrity, and availability of Sensitive Data contained on or accessed through the workstations.