In support of efforts to protect key District information assets, manage risk, and ensure regulatory compliance, Information Technology is overseeing development of information system security policies, standards, and procedures.

Acceptable Use of Information Systems Policy 

Acceptable use must be ethical, reflect academic honesty, and show responsible use in the consumption of shared resources.

Email address Policy 

Email domain Policy 

Mass Email Policy 

Access to Sensitive Data Policy

Access to Sensitive Data requires prior authorization. Processes must be in place for the authorization, establishment, review, modification and removal of access to Sensitive Data.

Active Directory Policy

All District owned or operated computers that are compatible with MS Active Directory (AD) and connected to the District network must join Active Directory.

Activity (Log) Review Policy

For all information system resources which contain or access data classified as “Sensitive” per the data classification standard, processes must be in place to ensure the access and activity is recorded and reviewed (audited).

Antivirus Policy

All computers must have an approved, functioning, and up to date antivirus software. Antivirus software must be set to auto update virus definitions daily. One mandatory full computer scan is performed every Thursday.  Antivirus software for district owned devices is available for download.

Business Associate Contracts Policy

The District may permit a business associate to create, receive, maintain, or transmit sensitive data on the behalf of the District only if it obtains satisfactory assurances the business associate will appropriately safeguard the information.

Business Unit Security Roles and Responsibilities Policy

It is essential that District Business Units be aware of information security risks and their roles and responsibilities for mitigating these risks.

Compliance Sanctions Policy

The District will impose appropriate sanctions for non-compliance with its information system policies, procedures, and standards.

Computer Logoff/Lock Policy

When leaving a computer, server, personal digital assistant, or other computing device unattended, workforce members must manually logoff or lock the device to prevent unauthorized access to District systems or information.

All computing devices that contain or access sensitive information must be secured with either a password-protected screen saver or automatic logoff that will take effect after no more than 15 minutes of inactivity.

Desktop Computer Security Policies

Digital Copyright Policy

 The copying, storing, and/or providing transport of digital material in a manner which violates the copyright associated with the digital material on or through the use of any District Information System Resources is strictly prohibited.

Electronic Data Disposal Policy

All District information systems and electronic media must be disposed  properly when no longer needed or before reuse.  Disposal must meet the OU Electronic Disposal and Reuse Standard.

Facility Security Policy

The District must establish procedures to protect sensitive information system resources and data from unauthorized physical access, tampering, and theft.

HIPAA Privacy Policies

Information System and Data Classification Policy

Information Systems (IS) are assets of Sumter School District and must be classified and protected according to the sensitivity and associated risks to the confidentiality, integrity, and availability of the system. IS Owners must identify all IS and follow the classification requirements in the policy.

Information Technology Policy Definitions

Login Banner Policy

The following banner must be displayed when users connect to SSD computer networks:

Monitoring Computer Use Policy

While the District does not routinely monitor individual usage of its computing resources, the normal operation and maintenance of the District’s computing resources require the backup and caching of data and communications, the logging of activity, the monitoring of general usage patterns, and other such activities that are necessary for providing service.

Monthly Maintenance Schedule

Monthly Maintenance Plan

Networking Standards

Password Management Policy

The District must implement a formal documented process for the appropriate creation, modification, and safeguard of information system passwords.

Password Standards

Passwords must meet complexity requirements, be kept private and changed every six months

Patches: Security patches should be installed within 48 hours of release.

Payment Card Industry Data Security Standard: The purpose is to provide the requirements for meeting the PCI DSS and the protection of District information and information system resources that store, process or transmit cardholder data.

Peer-to-Peer (P2P) File Sharing Policy: Peer-to-Peer (P2P) file sharing is permitted only if formally approved and authorized.  Use of P2P file sharing for District academic, research or clinical purposes that does not violate the law or District policy or compromise network integrity or security may be permitted only with approval by technology administration.  A registration process for requesting use of P2P file sharing will be maintained on the District’s web site.

Policy for Mass Communications

Portable Computing Device (PCD) Security Policy 

PCD includes but is not limited to laptops, notebook computers, tablet PCs, smart phones, thumb drives and external media such as CDs or DVDs.

All PCDs, irrespective of device ownership, that connect to non-public District information resources must follow District policies and standards for the security of these resources. This includes PCDs that access District email systems.

PCDs used for District business must be encrypted to protect data from unauthorized disclosure if the device is lost or stolen.

Product Review Policy

The purpose of this policy is to establish requirements for reviewing Information Systems (IS) to identify risks and recommend appropriate
security controls to mitigate identified risks to an acceptable and reasonable level. IS will also be reviewed to determine if it is compatible with existing District technology infrastructure.

Please see the Product Review page for more information..

Resource and Data Recovery Policy

 Information System Resource and Data Owners must ensure all Sensitive Information System Resources and Data are identified and covered by recovery plans and procedures to ensure business continuity and the ability to restore any loss of Sensitive Information System Resources and Data.

Risk Assessment and Control Review Policy

All information system resources must undergo a formal assessment process to properly identify risks and determine appropriate responses and controls.

All information system resources receiving, storing and/or transmitting Sensitive data must have a product review completed by Information Technology. The Product Review process will provide the requesting department with an overview of potential technology risks to Sensitive data within the OUHSC environment.

Please see the Product Review page for more information..

Risk Management Policy: The Risk Managment policy is currently under revision. Please contact Information Security if you have questions about risk management.

Server Consolidation Policy

Servers or data classified as Category A or Category B Information Systems (IS) must be consolidated into the District’s designated enterprise data centers.

South Carolina Internet and Network Use policies

Security Awareness and Training Policy

The District must implement a security awareness and training program for all faculty, staff and students.

Security Incident Reporting Policy

 All suspected Information Security Incidents must be reported promptly to the appropriate District office or party. See Incident reporting procedures.

Compromised or virus infected computers must have their District network connection disabled to prevent spread of infection or illegal activities. (more information)

Security Incident Response Policy

Information Technology, has the authority to initiate investigations of all incidents related to possible breaches of security or exposure of sensitive information on information technology assets. Such investigations will be conducted by Information Technology in connection with appropriate District officials.

System Development Security Policy

All information system resources which store, receive or transmit Sensitive Data must have security reviews conducted throughout its system development life cycle (SDLC).

Third Party E-mail Policy

 Do not access third party mail providers from the District network because this by-passes the District anti-virus systems.

Training Standard

 All faculty, staff, students, and volunteers must take the online security training once a year. See the Information Security Training Education and Awareness site for additional course offerings.

Transmission of Sensitive Data Policy

 Data and Resource Owners must appropriately protect Sensitive Data from unauthorized interception, modification, or access during electronic transmission.

Transportation of Media Policy

Data and Information System Resource Owners must govern the receipt, transfer and removal of electronic media which contain Sensitive Data.

Virus Response Policies

 Compromised or virus infected computers must have their District network connection disabled to prevent spread of infection or illegal activities.

Vulnerability Assessment Policy

 The operating system or environment for all information system resources must undergo a regular vulnerability assessment.

Workstation Use and Security Policy

 Procedures must be in place to ensure all District workstations are classified based on allowable capabilities and activities and secured accordingly in order to protect the confidentiality, integrity, and availability of Sensitive Data contained on or accessed through the workstations.