Avon CSD

Avon CSD SSL Certification

The purpose of this procedure is to ensure that critical computing resources are monitored, controlled, and protected from improper and/or unauthorized access and usage.

Technology resources are inventoried by Wayne Finger Lakes BOCES/Edutech and the Technology Department. Weekly inventory checks will be performed and logged.

All district computers will require an authenticated district user to log in for the device to function.

Data Backup Management – The purpose of this procedure is to ensure that computers/servers have regular and scheduled backups or saves of valuable production data.

Local User Data & Servers: User directories and servers are to be backed up on a daily basis.

Deduplicated backup to be conducted nightly to backup hard drive array.

Weekly tape backups are kept for a minimum of four weeks until Monthly tape backup is executed. 

Monthly tape backups are kept for a minimum of 1 year.

Yearly tape backups are kept for a minimum of six years.

Backup activity will be checked daily.

Weekly data recovery will be performed as a test.

Financial Package:
User data and server is backed up nightly per “Local User Data & Server” procedures outlined above.
User data is backed up nightly to a remote location.

Student Information System:
User data and server is backed up nightly per “Local User Data & Server” procedures outlined above.
User data is backed up nightly to a remote location.

Special Education Management Package:
User data and server is backed up nightly per “Local User Data & Server” procedures outlined above.
User data is backed up nightly to a remote location.

The purpose of this procedure is to ensure that the data center is maintained in a safe and secure manner, including proper access to controls and environmental controls.

The data center is to have keyed access limited to District Technology Staff and District Administration. The data center is to remain locked when no one is present.

The Data Center is climate controlled with an automated server in order to protect servers and core networking closet.

The purpose of this procedure is to ensure that user requests, application failures and other work performed by the technology staff are prioritized, monitored, and controlled. The District employs a Work Order Facility Management System for employees to report problems and requests. When prioritizing requests, consideration is given, but not limited, to:

Impact on district business functions.

Impact on instructional environment.

Number of users affected.

Time sensitivity of the problem.

The Technology Department understands that there are times when the limited function of a device will require a phone call or visit to the Technology Department.

The Technology Department also understands that there are times that the magnitude of a problem necessitates an immediate call to the Technology Department for help. In addition, staff may be in need of quick assistance or verbal help. We encourage staff to call with any and all questions. 

End User Software:

• Software changes may be driven by instructional need and business/organizational functions.

• When a need for a software change is identified, District Administration and the Technology Department will work to secure funds in order to purchase new software.

• Small scale software installations (approx. Ten or less) – Software may be installed on a one by one basis by Techonology Department.

• Large scale software installations (approximately eleven or more) – Software may be installed by computer imaging process.

   

Server Software:

• Servers will be updated from a SUS server as updates are approved by Wayne Finger Lakes BOCES/Edutech.

The purpose of this procedure is to ensure vendor compliance with service level agreements as specified vendor contracts.

• The Director of Digital Systems will work with Wayne Finger Lakes BOCES/Edutech to ensure vendors provide services.  

• SLA’s will be monitored for availability and timeliness of services; Confidentiality and integrity of data; Change control; Security standards compliance, including vulnerability and penetration management; Business continuity compliance; and Help desk support.

This procedure will provide a process and assurance that all workstations and network components have up to date virus protection.

• Antivirus distribution will be implemented from a centralized server.

• All district servers and workstations will be updated nightly with the latest ant-virus definitions.

• Weekly spot-checks of workstations and servers will be completed.

Below is an outline of the evaluation and response procedures of a reported cybersecurity event. A cybersecurity event may or may not include Personally Identifiable Information (PII). PII includes information that can be used to distinguish or trace an individual's (student, parent, or employee) identity either directly or indirectly through linkages with other information including name, address, and/or identification numbers.

As recommended by the National Institute of Standards and Technology (NIST), the District's Data Incident Response Team focuses on the: Preparation, Detection, Analysis, Containment, Eradication, and Recovery of data. When a data incident is reported or discovered, this response plan is immediately set into motion.

1.      IDENTIFY

Validate the data breach:

• Examine the initial information to confirm that a breach has occurred.

• If criminal activity is suspected, notify law enforcement and follow any applicable federal, State, or local legal requirements relating to the notification oflaw enforcement (The decision to involve outside entities, including law enforcement, should generally be made in consultation with executive leadership and legal counsel).

 If a breach has occurred:

• The Superintendent or designee will assign a District-level administrator, to serve as an incident manager to coordinate multiple organizational units and the overall incident response. (Typically, the team manager is the incident manager; alternatively, the team manager assigns another individual to lead the response activities);

• Determine if there was a breach of PII;

   

• If possible, identify the type of information disclosed and estimate the method of disclosure (internal/external disclosure, malicious attack, or accidental); and

• Begin breach response documentation and reporting process.

   

Assemble the District's Data Incident Response Team:

• Information Security and Data Protection Officer, Director of Instructional Technology, and appropriate other Administration and Staff.

   

  2.      DETECT AND PROTECT

• Immediately determine the status of the breach (on-going, active, or post breach).

• If the breach is active or on-going, take action to prevent further data loss by securing and blocking unauthorized access to systems/data and preserve evidence for investigation.

• Document all mitigation efforts for later analysis.

• Advise staff who are informed of the breach to keep breach details in confidence until notified otherwise.

   

Determine the scope and composition of the breach:

• Identify all affected data, machines, and devices.

• Conduct interviews with key personnel and document facts (if criminal activity is suspected, coordinate these interviews with law enforcement).

   

• When possible, preserve evidence (backups, images, hardware, etc.) for later forensic examination.

   

• Locate, obtain, and preserve (when possible) all written and electronic logs and records applicable to the breach for examination.

• Work collaboratively with data owners to secure sensitive data, mitigate the damage that may arise from the breach, and determine the root cause(s) of the breach to devise mitigating strategies and prevent future occurrences.

Notify Law Enforcement (situation dependent):

• Consult legal counsel to examine any applicable federal, State, and local breach reporting requirements to determine which additional authorities or entities must be notified in order to satisfy compliance requirements.

• Seek involvement of law enforcement when there is a reason to believe that a crime has been committed or to maintain compliance with federal, State, or local legal requirements for breach notification.

• In concert with District Administration and legal counsel, designate a single organizational representative authorized to initiate and/or communicate breach details to any party, including law enforcement.

   

3.       RESPOND

Determine whether notification of affected individuals is appropriate and, if so, when and how to provide such notification:

• Determine whether notification is warranted and when it should be made.

• Notify affected individuals whose sensitive information, including PII, has been compromised, as required by applicable federal, State, and local laws.

   

4.      RECOVER

 Collect and review any breach response documentation and analyses reports:

• Assess the data breach to determine the probable cause(s) and minimize the risk of future occurrence.

• Address and/or mitigate the cause(s) of the data breach.

• Solicit feedback from the responders and any affected entities.

• Review breach response activities and feedback from involved parties to determine response effectiveness.

• Make necessary modifications to the District's breach response strategy to improve the response process.

• Enhance and modify the District's information security and training programs, which includes developing countermeasures to mitigate and remediate previous breaches; lessons learned must be integrated so that past breaches do not reoccur.

The Smart Schools Bond Act was passed by a state wide referendum.  The Smart Schools Bond Act (SSBA) authorized the issuance of $2 billion of general obligation bonds to finance improved educational technology and infrastructure to improve learning and opportunity for students throughout the State.

View the plan here.

Avon has utilized these funds to purchase security cameras, servers, cabling, switches, Chromebooks, laptops and fiber connectivity to improve student access to technology and to create secure learning spaces.

On October 23rd, the BOE discussed the option to reallocate some of the funds from Connectivity to School Security to purchase an Emergency Communication System. The plan is here.

To learn more about the SSBA and the Smart Schools Investment Plan, please visit NYSED.gov.