Information Security Framework for Education Birth-12

scalplevelpastoralManagement

Nov 18, 2013 (3 years and 6 months ago)

53 views

1

Release date: August 15, 2012

I
n
f
o
r
m
a
t
i
o
n
S
ecu
r
i
t
y

F
r
a
m
e
wo
rk

for Educ
a
t
i
o
n


B
i
rt
h
-
12


D
ra
ft
e
d
b
y

t
h
e

Edu
ca
t
i
on

I
n
fo
r
mation
S
ec
u
r
i
t
y

C
o
m
m
i
t
te
e
,

I
n
f
o
rm
a
t
i
on
S
ec
u
r
i
t
y

F
r
a
me
w
o
r
k

W
o
r
k
g
roup


W
o
r
k
g
roup

Mem
b
e
rs: R
i
c
k
W
a
hls
t
rom
(
N
W
RE
S
D,
c
h
a
ir
)
,

A
m
y

M
c
L
a
u
g
h
l
i
n (
O
DE
)
, Ni
c
k

L
a
pp
(
I
ME
S
D
)
, Benjamin T
a
te

(
S
a
le
m
-
K
e
i
z
e
r SD
)
,
J
ohn Gou
c
h
e
r

(
H
i
l
lsboro
S
D
)
,

L
a
n
c
e

Qu
e
e
n (Cro
o
k
Coun
t
y

S
D)


S
ec
u
r
ity
C
o
m
p
o
n
e
n
ts


I.

Risk

M
a
n
ag
eme
n
t

Risk
M
a
n
a
g
e
ment is the p
r
o
ce
ss of identi
f
y
i
n
g,
a
s
s
e
ss
i
n
g
,
a
nd
t
a
king

steps

to r
e
du
c
e

risk to an

ac
c
e
ptable

lev
e
l

for

info
r
mation
s
y
stems and d
a
ta.

Risk
m
a
n
a
g
e
m
e
nt
i
s c
r
i
t
ic
a
l for

<dis
t
rict
n
a
m
e
>
to suc
ce
ssful
l
y

i
mp
l
e
ment
a
nd maintain a

se
c
u
r
e

e
nvironme
n
t.
R
isk ass
e
ss
m
e
nts
i
d
e
nt
if
y
, qu
a
nt
if
y
,

a
nd p
r
iorit
iz
e

r
isks

a
g
a
inst

c
rite
r
ia

e
stab
l
ished
b
y

the distri
c
t f
o
r
r
i
s
k
acce
p
t
a
n
c
e

a
nd obje
c
t
i
v
e
s. Ass
e
ss
m
e
nt

r
e
sul
t
s
g
uide
a
nd
d
e
te
r
m
i
ne

a
ppro
p
r
i
a
te distri
c
t a
c
t
ion
and p
r
iorit
i
e
s for man
a
g
ing

inf
o
rm
a
t
i
on s
e
c
u
r
i
t
y

risks
a
nd f
o
r impl
e
menting

c
ontrols n
e
e
d
e
d

to
prote
c
t
i
n
f
o
r
mation
a
ssets.


Risk ass
e
ss
m
e
nts (RAs)

ca
n be

c
ondu
c
ted on

a
n
y

e
nt
i
t
y

with
i
n dis
t
ri
c
t or
a
n
y

outs
i
de

e
nt
i
t
y

that h
a
s s
i
g
n
e
d

a

th
i
rd p
a
r
t
y

a
g
r
ee
ment with an outside

c
ompa
n
y
. RAs c
a
n
b
e

c
o
ndu
c
ted on
a
n
y info
r
mation
s
y
stem in
c
l
u
ding

a
ppl
ic
a
t
i
ons, se
r
v
e
r
s
,
a
nd

n
e
twor
k
s, and

a
n
y

p
r
o
ce
ss or
p
ro
c
e
d
u
re
b
y

whi
c
h t
h
e
se

s
y
stems
a
re

a
dm
i
nis
t
e
r
e
d

a
nd/or
m
a
in
t
a
ined.


The

r
ole of

I
n
f
o
r
mation

S
ec
u
r
i
t
y

O
f
fi
c
e
r
(
I
S
O
) c
a
n be

d
e
s
i
g
n
a
ted or

his or

h
e
r
re
spons
i
bi
l
i
t
ies
a
ss
i
g
n
e
d to

a
n
e
x
is
t
ing

ind
i
vidual. The

I
S
O is
r
e
s
p
onsible
f
or

le
a
di
n
g

a
nd
o
r
fac
i
l
i
t
a
t
i
ng

t
h
e
I
n
fo
r
mation
S
ec
uri
t
y

Risk Assessment T
ea
m.


The

identifi
ca
t
i
on of

inf
o
rm
a
t
i
on s
ec
u
r
i
t
y

r
isks

a
n
d not
i
fi
ca
t
i
on of

the

I
S
O

is
t
he

re
spons
i
bi
l
i
t
y

o
f
a
ll

dis
t
ri
c
t pe
r
sonn
e
l. T
h
e

e
x
ec
ut
i
on, d
e
v
e
lop
m
e
n
t, and imp
l
e
ment
a
t
i
on of

re
medi
a
t
i
on
p
r
o
g
r
a
ms
a
re

the joint

re
spons
i
bi
l
i
t
y

of

the

I
S
O
a
nd the
d
e
p
a
rtme
n
t r
e
spons
i
ble
f
or

t
h
e

pro
c
e
ss
o
r
s
y
s
t
e
ms with
t
he

identifi
e
d risk.

Distri
c
t s
t
a
ff

a
r
e

e
x
p
ec
t
e
d to coop
e
r
a
te

ful
l
y

with a
n
y

RA
b
e
i
n
g
c
ondu
c
ted on
s
y
stems for

whi
c
h th
e
y

a
r
e

h
e
ld
a
cc
o
untabl
e
.

S
ta
f
f
a
r
e

f
u
r
t
h
e
r

e
x
p
ec
ted to
wo
r
k with the

I
n
fo
r
mation
S
e
c
u
r
i
t
y

Risk Assessment
T
ea
m
i
n the d
e
v
e
lop
m
e
nt

of

a

re
m
e
diation
p
l
a
n.


Risk
m
a
n
a
g
e
m
e
nt c
a
n i
n
c
lude the

f
ol
l
owi
n
g

steps

a
s pa
r
t of a

risk
a
ssess
m
e
nt:


1.
I
d
e
nt
i
f
y

the
r
isks

a
.

I
d
e
nt
i
f
y

a
g
e
n
c
y

a
ssets
a
n
d the
a
ssoci
a
ted in
f
o
rm
a
t
ion
own
e
rs

2

Release date: August 15, 2012

b.
I
d
e
nt
i
f
y

the th
r
e
a
ts
t
o those

a
ssets

c
.

I
d
e
nt
i
f
y

the vuln
e
r
a
bi
l
i
t
ies th
a
t
m
i
g
ht be
e
x
plo
i
ted
b
y

the th
r
ea
ts

d.
I
d
e
nt
i
f
y

the impa
c
ts
t
h
a
t

los
s
e
s of
c
onfid
e
nt
i
a
l
i
t
y
,

in
t
e
g
ri
t
y

a
nd

a
v
a
i
l
a
bi
l
i
t
y

m
a
y
h
a
ve

on the
a
s
s
e
ts


2. An
a
l
y
z
e

a
nd
e
v
a
l
u
a
te the

r
isks

a
.

Ass
e
ss
t
he

busin
e
ss
i
m
p
ac
ts on the distri
c
t
t
h
a
t
m
i
g
ht r
e
sult

f
rom s
ec
u
r
i
t
y

f
a
i
l
u
re
s, taking

in
t
o
a
c
c
ount
t
he

c
onse
q
u
e
n
ce
s
o
f a

loss

of

c
onfid
e
nt
i
a
l
i
t
y
,
in
te
g
ri
t
y

or
a
v
a
i
l
a
bi
l
i
t
y

of those

a
sse
t
s

b. Ass
e
ss
t
he

r
e
a
l
i
st
i
c

l
i
k
e
l
i
hood of

se
c
u
r
i
t
y

f
a
i
l
u
re
s

o
cc
u
r
ri
n
g

in
t
he

l
i
g
ht of
p
re
v
a
i
l
ing

t
h
r
e
a
ts and vu
l
n
e
r
a
bi
l
i
t
ies,
a
nd i
m
p
ac
ts

a
ssoci
a
ted
w
i
t
h these

a
ssets,
a
nd the
c
ontrols cu
r
r
e
nt
l
y

i
m
plem
e
nted

c
.

Est
i
mate

the l
e
v
e
l of
r
is
k
s

d. D
e
te
r
m
i
ne

w
h
e
ther

the

risks
a
re

a
cce
p
t
a
ble


3.
I
d
e
nt
i
f
y

a
nd
e
v
a
luate

op
t
ions for

the t
rea
t
m
e
nt of

r
isk

a
.

App
l
y

a
p
p
rop
r
iate

c
ontr
o
ls

b. A
cce
pt
t
he

risks

c
.

Avoid the
r
isks

d. T
ra
nsf
e
r the

a
ssoc
i
a
ted
b
usiness risks
t
o other

p
a
r
t
ies
(
students, pe
r
sonn
e
l,

e
tc.)


4.
S
e
le
c
t cont
r
ol ob
j
ec
t
i
v
e
s

a
nd
c
ontrols for

the t
r
ea
t
ment of

r
isks


II.

S
ec
u
r
ity

P
ol
i
c
y

The

obje
c
t
i
ve

of

a
n info
r
mation s
ec
u
r
i
t
y

pol
i
c
y

is

to provide

man
a
g
e
ment
d
ir
ec
t
i
on
a
nd support

for

info
r
mation s
ec
u
ri
t
y

i
n
acc
o
r
d
a
n
c
e

with

<dis
t
rict
n
a
m
e
>

busin
e
ss r
e
quir
e
ments
a
nd
g
ov
e
rni
n
g

la
w
s and

re
g
u
l
a
t
i
ons.

I
n
fo
r
mation s
ec
u
r
i
t
y

a
dm
i
nis
t
r
a
t
i
ve

r
ules
s
uppo
r
t
i
ng

the
ov
e
r
a
r
c
hi
n
g

info
r
mation

s
ec
u
r
i
t
y

pol
i
c
y

will

be

a
p
p
r
ov
e
d
b
y

the distri
c
t, p
u
bl
i
shed

a
nd
c
om
m
unic
a
ted to
a
ll

e
m
p
l
o
y
e
e
s, s
t
ud
e
nts, and
e
x
te
r
n
a
l

pa
r
t
i
e
s as

a
ppro
p
r
i
a
te. T
he
se

r
u
l
e
s will

set

<dis
t
rict
n
a
m
e
>
’s
a
ppro
a
c
h to
m
a
n
a
g
i
n
g

info
r
mat
i
on s
ec
u
r
i
t
y

a
nd will

a
l
i
g
n

with r
e
lev
a
nt

f
e
d
e
r
a
l and state

re
g
ulat
i
ons
a
nd la
w
s.


I
n
fo
r
mation s
ec
u
ri
t
y

rul
e
s will

be

re
vie
we
d

a
t p
la
nn
e
d in
t
e
rv
a
ls ann
u
a
l
l
y

o
r if

si
g
nifi
c
a
nt ch
a
n
g
e
s
o
cc
ur

to ensu
r
e

their

c
ont
i
nuing

suitabil
i
t
y
,
a
d
e
q
u
ac
y
,

a
nd
e
f
fe
c
t
i
v
e
n
e
ss.
Re
vie
w
s will

include
a
ssessing

opp
o
rtunities

for

i
m
p
r
ov
e
ment of
<dis
t
rict
n
a
m
e
>
’s in
f
o
r
mation s
ec
u
r
i
t
y

pol
i
c
ies
a
nd
a
ppro
a
c
h to
m
a
n
a
g
i
n
g

info
r
mation s
ec
u
r
i
t
y

in
r
e
s
ponse

to ch
a
n
g
e
s to

<dis
t
rict
n
a
m
e
>
’s
e
nvironme
n
t, new

th
r
ea
ts

a
nd risks, bus
i
n
e
ss ci
rc
u
ms
t
a
n
ce
s, l
e
g
a
l and poli
c
y

i
m
pl
i
ca
t
i
ons,
a
nd
te
c
hnic
a
l envi
r
on
m
e
nt.


III.

Organ
i
z
a
t
ion

of

I
n
f
o
rm
a
t
ion

S
ec
u
r
ity and

P
r
i
v
a
c
y

I
n
fo
r
mation s
ec
u
ri
t
y

is p
r
o
ac
t
i
v
e
l
y

man
a
g
e
d
a
t

<dis
t
rict
n
a
m
e
>

Man
ag
e
m
e
nt app
r
ov
e
s

info
r
mation s
ec
u
r
i
t
y

proc
e
dur
e
s, ass
i
g
ns s
e
c
u
r
i
t
y

r
oles,
a
nd
c
oordin
a
t
e
s and

re
vie
w
s
the i
m
plem
e
ntation

of

se
c
u
r
it
y

a
c
ross the
(
s
c
hool
/
dis
t
ri
c
t
/
ESD).

3

Release date: August 15, 2012


I
n
fo
r
mation s
ec
u
ri
t
y

r
e
q
u
ir
e
s co
o
rdin
a
t
i
on
a
nd

c
o
m
m
unic
a
t
i
on
throu
g
hout

the

dis
t
ri
c
t.

This
includ
e
s ensu
r
i
n
g

sta
f
f

a
nd te
ac
h
e
rs
f
ul
l
y

un
d
e
rs
t
a
nd their

r
oles
a
nd

r
e
sp
o
nsib
i
l
i
t
i
e
s in
maintaining

info
r
mation

se
c
u
r
i
t
y

a
nd p
r
iv
a
c
y

sta
n
d
a
rds.

I
n
f
o
rm
a
t
i
on s
ec
u
r
i
t
y

re
spons
i
bi
l
i
t
ies must

be

c
le
a
r
l
y

d
e
fin
e
d
a
nd
c
om
m
unic
a
ted

to st
a
ff

throu
g
h

ea
s
y

to
l
o
ca
te

<
p
r
o
ce
d
u
r
e
s/
t
r
a
in
i
n
g
/a
d
m
i
nis
t
r
a
t
i
ve

r
ules
>
.


K
e
y

re
spons
i
bi
l
i
t
ies in in
f
o
r
mation s
ec
u
r
i
t
y

a
nd
p
r
iva
c
y

a
r
e

identif
i
e
d
a
nd

a
ss
i
g
n
e
d to sp
e
c
ific
p
e
rsonn
e
l.

I
n most c
a
s
e
s
, these

re
spons
i
bi
l
i
t
ies
a
r
e

a

p
a
rt
o
f
a
n ind
i
vidual

s
pos
i
t
i
on, not a
s
e
p
a
r
a
t
e

posit
i
on. K
e
y

respons
i
bi
l
i
t
ies in
c
lude:



P
rima
r
y

point

of
c
on
t
ac
t

for

I
n
f
o
rm
a
t
i
on
S
ec
u
r
i
t
y

(
I
n
f
o
r
mation
S
ec
u
ri
t
y

O
f
fi
ce
r)



P
rima
r
y

point

of
c
on
t
ac
t

for

F
ER
P
A Priva
c
y

Co
m
pl
i
a
n
c
e



P
rima
r
y

point

of
c
on
t
ac
t

for

I
n
f
o
rm
a
t
i
on
S
ec
u
r
i
t
y

I
n
c
ident R
e
sponse



P
rima
r
y

point

of
c
on
t
ac
t

for

se
c
u
ri
t
y

a
dm
i
nis
t
r
a
t
i
on


IV.

Ass
e
t
M
a
n
ag
e
me
n
t

Ass
e
t Man
a
g
e
m
e
nt
i
s the p
r
o
ce
ss

of

t
r
ac
ki
n
g

a
nd

r
e
porting

the
v
a
lue
a
nd
o
wn
e
rship of

info
r
mation ass
e
ts.

I
n
f
o
r
mation asset m
a
n
a
g
e
me
n
t
i
s ess
e
nt
i
a
l
i
n or
de
r
to p
r
ovide
re
l
i
a
ble

a
nd
s
ec
u
r
e

s
e
rvi
c
e
s.

I
n
f
o
r
m
a
t
i
on
a
ssets in
c
lude:


I
n
fo
r
mation

-

the
d
a
ta itself
w
h
e
th
e
r sto
re
d on p
a
p
e
r or

e
l
ec
troni
c
a
l
l
y


D
a
tab
a
s
e
s


P
a
p
e
r
f
i
l
ing

s
y
stems


I
n
fo
r
mation
t
ec
hnol
o
g
y

s
y
s
tems used to sto
r
e

a
nd

p
r
o
ce
ss valu
e
d info
r
mat
i
on


Distri
c
ts have

a
n obl
i
g
a
t
i
on to
m
a
x
i
m
i
z
e

the s
ec
u
r
i
t
y

a
nd
e
f
f
ici
e
n
c
y

of
a
s
s
e
t
t
r
a
c
king
a
nd
ut
i
l
iz
a
t
ion. An
acc
u
r
a
te
i
nv
e
nto
r
y

of

info
r
mation

a
nd info
r
mation
s
y
s
t
e
ms al
l
ows dis
t
ri
c
ts
t
o
b
e
t
t
e
r d
e
fi
n
e

a
nd
c
ontrol

the
c
omponents of the

in
f
r
a
stru
c
tu
r
e

a
nd s
e
rvi
ce
s
p
rovid
e
d. Ass
e
t
tr
ac
ki
n
g

a
lso e
n
a
bles dis
t
ri
c
ts
t
o lev
e
rage

c
onf
i
g
u
r
a
t
i
on man
a
g
e
ment too
l
s and

pr
a
c
t
ic
e
s, as
w
e
ll
a
s pl
a
n for

f
ut
u
re

a
s
s
e
t ne
e
ds
b
y

d
e
t
e
rmining

a
v
a
i
labil
i
t
y

o
f
e
quip
m
e
nt.
A
cc
u
r
a
c
y

is a k
e
y

g
o
a
l in all asp
ec
ts of Ass
e
t
M
a
n
a
g
e
ment.


Distri
c
ts
s
hould est
a
bl
i
sh a
ba
s
e
l
i
ne

e
f
f
o
r
t
t
o
e
sta
b
l
i
sh an

a
sset man
a
g
e
ment

d
a
tab
a
s
e
. All
as
s
e
ts,
a
s de
f
ined
b
e
low, should be

tr
ac
k
e
d in an
a
sset m
a
n
a
g
e
ment d
a
ta
b
a
s
e
,

p
r
o
c
e
sses
should be put in pla
c
e

to
m
a
in
t
a
in
t
he

v
a
l
i
di
t
y

a
nd
a
cc
u
r
a
c
y

o
f the

d
a
ta
a
nd
a
nn
u
a
l r
e
vi
e
ws

should be

c
ondu
c
ted

to ve
r
i
f
y

the d
a
ta.


On
c
e

the
b
a
s
e
l
i
ne

h
a
s
b
e
e
n
e
stablished,

dis
t
ri
c
ts
s
hould unde
r
take

pr
o
ce
ss

d
e
v
e
lop
m
e
nt as p
a
rt
of their

n
e
x
t s
t
e
ps.
P
ro
c
e
sses
ca
n
c
o
v
e
r

a

v
a
ri
e
t
y

o
f

a
r
e
a
s, but should
a
t
le
a
st establish st
e
ps for

the following

a
r
e
a
s:


1. Ass
e
t Or
de
ri
n
g

2. Ass
e
t
R
ece
iv
i
n
g

a
nd Ch
e
c
k
-
in

3. Ass
e
t
R
e
qu
e
sts

4

Release date: August 15, 2012

4. Ass
e
t QA

5. Ass
e
t D
ec
om
m
is
s
ion

6. Ass
e
t
S
u
r
plus
/
T
ra
de
-
In


Addit
i
on
a
l
l
y
, stand
a
rds
s
hould be d
e
veloped
f
o
r
t
he

f
ol
l
owing
a
re
a
s:


1. Ass
e
t
S
hipp
i
ng

a
nd

Re
ce
iv
i
ng

2. Ass
e
t
S
tor
a
ge

3. Ass
e
t T
a
g
g
i
n
g

4. Ass
e
t Tr
ac
ki
n
g

5. Ass
e
t
R
e
porting


V.

H
u
m
an

R
e
so
u
r
c
e
s
S
ec
u
r
ity

All empl
o
y
e
e
s, volunte
e
r
s, co
n
tr
ac
tors,

a
nd th
i
rd p
a
r
t
y

u
s
e
rs of

<dis
t
rict
n
a
m
e
>

info
r
mation and

info
r
mation
a
ssets will unde
r
stand
their

r
e
spons
i
bi
l
i
t
ies
a
nd will

be

d
ee
m
e
d suitable

f
or

the
r
oles
th
e
y

a
re
c
onsid
e
r
e
d

for

to

re
du
c
e

t
h
e

r
isk of the
f
t,

f
r
a
ud, or

m
i
suse of

inf
o
rm
a
t
i
on.
S
ec
u
r
i
t
y
r
e
spons
i
bi
l
i
t
ies
w
i
l
l be
a
ddr
e
ssed p
r
ior to

e
mp
l
o
y
ment in pos
i
t
i
on d
e
s
c
r
i
pt
i
ons
a
nd
a
n
y
a
ssoci
a
ted t
e
rms

a
nd
c
o
n
di
t
ions of
e
mp
l
o
y
m
e
nt.

W
h
e
re

a
ppro
p
r
i
a
te,
a
ll

ca
ndidat
e
s for
e
mp
l
o
y
ment, volun
t
e
e
r

wo
r
k,
c
ontr
a
c
tors,
a
nd t
h
ird p
a
r
t
y

use
r
s will

be

a
d
e
qu
a
te
l
y

sc
r
ee
n
e
d,
e
spe
c
ial
l
y

f
or

rol
e
s that
r
e
quire

a
cce
ss
t
o se
n
si
t
ive

info
r
mati
o
n. M
a
n
a
g
e
m
e
nt
i
s r
e
spons
i
ble
f
or
e
nsuring

s
ec
u
r
i
t
y

is cons
i
d
e
r
e
d du
r
i
n
g

hiri
n
g

a
nd
t
h
r
ou
g
hout
t
he

ind
i
vidual

s empl
o
y
ment with
the distri
c
t.


The

dis
t
ri
c
t
i
ntends to
e
nsure

that p
e
rsons

e
mp
l
o
y
e
d
b
y

o
r
c
ont
r
ac
t
i
n
g

with
t
he

dis
t
ri
c
t have

not
e
ng
a
g
e
d in a
n
y

c
rimin
a
l

b
e
h
a
vior that is
i
n
c
ompa
t
ib
l
e

with
t
h
e
ir duti
e
s and

re
spons
i
bi
l
i
t
ies
w
i
t
h re
g
a
rd to

ac
c
e
ss and h
a
n
dl
i
ng

of p
r
ot
e
c
ted in
f
o
r
m
a
t
i
on,
a
nd the mission of the

a
g
e
n
c
y
. To
ac
hieve

th
i
s

g
o
a
l,
t
he

dis
t
ri
c
t
i
n
c
ludes noti
c
e

in h
ir
ing

a
nnou
n
ce
ments th
a
t a

b
ac
k
g
round

c
h
ec
k

will

be

c
ondu
c
ted on po
t
e
nt
i
a
l c
a
ndidat
e
s. As

a

c
o
ndi
t
ion of
e
mp
l
o
y
m
e
nt,
a
ppl
i
ca
nts app
l
y
i
n
g

f
o
r posit
i
ons must
s
i
g
n
a
n
a
u
thori
z
a
t
i
on f
o
rm
a
l
l
owing

the distri
c
t
t
o
c
ond
u
c
t a

c
rimin
a
l
ba
c
k
g
round
c
h
ec
k. T
h
e

dis
t
ri
c
t cond
u
c
ts c
r
i
m
inal b
ac
k
g
round

c
h
ec
ks on
a
ll

pros
p
ec
t
i
ve

e
mp
l
o
y
e
e
s, dire
c
t

hire

tempo
ra
r
y

a
ppoin
t
ments,
a
nd
e
x
te
r
n
a
l
t
r
a
ns
f
e
r
e
mp
l
o
y
e
e
s. The

Hum
a
n

R
e
sour
ce
s d
e
p
a
rtme
n
t wi
l
l ensu
r
e

t
h
a
t e
x
te
r
n
a
l cont
rac
t
o
rs h
a
ve

c
omp
l
e
ted
c
rimin
a
l
b
a
c
kgro
u
nd
c
h
e
c
ks on
a
ll

c
ontr
ac
tors

a
ss
i
g
n
e
d to wo
r
k
a
t

the distri
c
t.

I
n
f
o
r
mation s
ec
u
r
i
t
y

re
qui
r
e
ments
a
re

includ
e
d in the position des
c
riptions of the

I
n
f
o
r
m
a
t
i
on
S
ec
u
r
it
y

O
f
fi
ce
r.


All new

e
mp
l
o
y
e
e
s and

t
e
mpor
a
r
y

e
mp
l
o
y
e
e
s
r
e
c
e
ive t
ra
in
i
n
g

on the distri
c
t’s

I
n
f
o
r
mation
S
ec
u
r
i
t
y

p
r
o
g
r
a
m and

a
r
e

c
ov
e
r
e
d

a
nd

r
e
quir
e
d to

si
g
n r
e
l
e
v
a
nt se
c
u
ri
t
y

d
o
c
uments. All
e
mp
l
o
y
e
e
s and

c
on
t
r
a
c
t
o
rs p
a
rticip
a
te in s
e
c
u
r
i
t
y

a
w
a
r
e
n
e
ss
t
r
a
in
i
n
g

a
nn
u
a
l
l
y
,
a
t which ti
m
e

th
e
y
a
lso
s
i
g
n
a
ll

a
ppl
ic
a
ble s
e
c
u
r
i
t
y

pol
i
c
ies.


S
ec
u
r
i
t
y

t
r
a
in
i
n
g
, i
n
c
lud
e
s, but is not
l
i
m
i
t
e
d to,
t
r
a
in
i
ng

o
n s
e
c
u
r
i
t
y

pol
i
c
i
e
s and

pro
c
e
d
u
r
e
s,
F
ER
P
A
a
nd
H
I
P
A
A
, ind
i
vidual p
re
v
e
ntative
s
ec
u
r
i
t
y

steps,
a
s
w
e
ll

a
s info
r
mation on

I
T s
e
c
u
r
i
t
y
that
e
du
ca
tes the

u
s
e
r to
t
he

d
a
n
g
e
rs

a
t wo
r
k

a
nd
a
t ho
m
e
.


5

Release date: August 15, 2012

P
ro
c
e
dur
e
s

will

be

i
m
plem
e
nted to
e
nsure

that

a
n

e
mp
l
o
y
e
e
, volun
t
ee
r,

c
o
n
tr
ac
tor,

or

th
i
rd p
a
r
t
y

s e
x
it

f
rom the district is
m
a
n
a
g
e
d,
a
nd the

return of

a
ll

e
quip
m
e
nt and

re
moval of

a
ll
ac
c
e
ss ri
g
hts

a
re
c
omp
l
e
ted.


VI.

P
h
ysical a
n
d

E
n
viron
m
e
n
tal Se
c
u
r
ity

The

pur
p
ose
o
f p
h
y
s
i
ca
l

a
nd
e
nvironme
n
t s
e
c
u
r
i
t
y

is
t
o pr
e
v
e
nt unaut
h
o
r
i
z
e
d p
h
y
sic
a
l

ac
c
e
ss,

d
a
m
a
g
e
, the
f
t,

c
ompromis
e
,
a
nd in
t
e
r
f
e
r
e
n
c
e

to

<
d
is
t
rict
n
a
m
e
>

info
r
mati
o
n
a
nd f
a
c
i
l
i
t
ies.
L
o
c
a
t
i
ons hous
i
ng

c
ritic
a
l or s
e
nsi
t
ive in
f
o
r
mation or info
r
mation ass
e
ts wi
l
l be s
ec
u
r
e
d with
a
ppro
p
ri
a
te
s
ec
u
r
i
t
y

b
a
r
r
i
e
rs
a
nd
e
nt
r
y

c
ont
r
ols.
T
h
e
y

will

be

p
h
y
si
c
a
l
l
y

p
r
ote
c
ted
f
rom
un
a
uthori
z
e
d
ac
c
e
ss, d
a
mag
e
,
a
nd in
t
e
r
f
e
r
e
n
ce
.

S
ec
u
r
e

a
re
a
s will

be

pro
t
ec
ted
b
y

a
p
p
rop
r
iate
s
ec
u
r
i
t
y

e
nt
r
y

c
on
t
rols to ensu
r
e

that on
l
y

a
uthori
z
e
d p
e
rsonn
e
l

a
re
a
l
l
ow
e
d

ac
c
e
ss.


All equipment
c
ontaining s
t
o
ra
g
e

media

will

be

c
h
ec
k
e
d to ens
u
re

that
a
n
y

s
e
nsi
t
ive d
a
ta
a
nd l
i
ce
nsed

softw
a
re

h
a
s
b
e
e
n r
e
moved or

s
ec
u
r
e
l
y

o
v
e
r
w
ritten p
r
ior to dispos
a
l.


F
or

more

i
n
fo
r
mation on

p
h
y
sic
a
l

a
nd
e
nvironme
n
tal s
ec
u
r
i
t
y

ple
a
se

s
e
e

the

f
ol
l
owing

sample do
c
uments:



B
ui
l
ding

S
e
c
u
ri
t
y

P
ol
i
c
y



Visitor Pol
ic
y



W
o
r
kstation
S
ec
u
r
i
t
y

P
ol
ic
y

(
ht
t
p
://
www
.
s
a
ns
.
o
r
g
/
s
ec
u
r
i
t
y
-

r
e
sour
c
e
s
/
pol
i
c
ie
s
/200802_002.
do
c
)



MD
F
/
I
D
F

S
ec
u
r
i
t
y

P
ol
ic
y



Autho
r
i
z
e
d p
e
rsonn
e
l on
l
y



K
e
y

lock
a
t
m
in
i
mu
m
, k
e
y
p
a
d

with
l
og
g
i
n
g

r
e
c
o
m
mend
e
d



S
ustain
a
ble
Ac
quis
i
t
i
on
a
nd Disposal of

Ele
c
tronic

Equipm
e
nt



S
tat
e
wide

P
ol
ic
y

10
7
-

009
-
0050
(
ht
tp
://
www
.o
r
e
g
on
.
g
ov
/
D
A
S
/
O
P
/
do
c
s
/
pol
ic
y
/
state
/107
-
009
-
00
5
0.
pd
f
?
g
a
=
t
)



MD
F
/
I
D
F

Environm
e
nt

Guid
e
l
i
n
e
s



W
a
te
r
/fire

a
voida
n
c
e



W
indowless
r
ooms



T
e
mpe
ra
tu
r
e

c
ontroll
e
d

r
ooms



S
te
a
d
y

po
w
e
r supp
l
y

wi
t
h UPS

d
e
vi
c
e
s in pla
c
e



D
a
ta B
ac
kup
P
ol
i
c
y



B
ac
kup

f
re
q
u
e
n
c
y



O
f
fsite b
ac
k
u
ps


VII. C
o
m
m
un
ica
t
io
n
s a
n
d

O
p
er
a
t
io
n
s
M
a
n
ag
e
m
e
n
t

To
e
nsure

the

c
o
r
r
ec
t and

se
c
u
r
e

o
p
e
r
a
t
i
on of

inf
o
r
mation pro
ce
ss
i
ng fa
c
i
l
i
t
i
e
s, r
e
spons
i
bi
l
i
t
ies

a
nd p
r
o
ce
d
u
r
e
s f
o
r the

m
a
n
a
g
e
ment

a
nd op
e
r
a
t
i
on of

a
ll

info
r
mation pro
c
e
ss
i
ng

f
a
c
i
l
i
t
ies should
be

e
stablished.

This
i
n
c
l
u
d
e
s the d
e
v
e
lop
m
e
nt of

a
ppro
p
ri
a
te op
e
r
a
t
i
n
g

proc
e
dur
e
s.
Se
g
re
g
a
t
i
on
of

dut
i
e
s shou
l
d be

i
m
plem
e
nted,
w
h
e
r
e

a
ppro
p
ri
a
te, to
re
du
c
e

t
h
e

r
isk of
n
e
g
l
i
g
e
nt or
d
e
l
i
b
e
r
a
te
s
y
stem misu
s
e
.


OPERA
T
I
O
N
A
L

P
ROCED
U
RES AND

RES
P
O
N
S
I
BI
L
I
T
I
ES
6

Release date: August 15, 2012

Do
c
ument
e
d op
e
r
a
t
i
n
g

p
r
o
ce
dur
e
s

Ch
a
n
g
e

m
a
n
a
g
e
m
e
nt

S
e
g
re
g
a
t
i
on of

dut
i
e
s

S
e
p
a
r
a
t
i
on of

d
e
v
e
lop
me
nt,
t
e
st, and op
e
r
a
t
i
on
a
l
f
ac
i
l
i
t
ies


T
H
I
R
D PARTY SER
V
I
CE D
E
LI
V
ERY MA
N
A
GEM
E
NT

S
e
rvi
c
e

d
e
l
i
v
e
r
y

moni
t
o
r
ing

a
nd

r
e
view

of th
i
rd par
t
y

s
e
rvi
ce
s
Mana
g
i
n
g

c
h
a
n
g
e
s to
t
hird p
a
r
t
y

s
e
rvi
c
e
s


S
YSTEM
P
L
A
N
N
I
N
G

A
N
D
A
CCEPTANCE
C
a
p
ac
i
t
y

m
a
n
a
g
e
m
e
nt

S
y
stem
a
c
ce
pta
n
c
e


P
ROT
E
C
T
I
ON

A
G
A
I
N
S
T M
A
LI
C
I
O
US AND

MOBI
L
E CO
D
E

Controls a
g
a
inst

malici
o
us c
o
de

Controls a
g
a
inst

mob
i
le

c
ode


B
ACK
-
UP

I
n
fo
r
mation ba
c
k
-
up


NE
T
W
ORK SECU
R
I
TY

MA
N
A
G
EME
N
T
N
e
twork

c
ontrols

S
ec
u
r
i
t
y

o
f n
e
twork

s
e
rv
i
ce
s


ME
D
I
A
H
A
N
D
L
I
NG

Mana
g
e
ment of

r
e
mova
b
le m
e
dia

Disposal of

media

I
n
fo
r
mation handli
n
g

pr
o
ce
dur
e
s

S
ec
u
r
i
t
y

o
f
s
y
s
t
e
m doc
u
ment
a
t
i
on


EXCH
A
N
G
E
O
F

I
N
F
O
RMA
T
I
O
N

I
n
fo
r
mation e
x
ch
a
n
g
e

p
o
l
i
c
ies
a
nd p
r
o
c
e
dur
e
s

E
x
c
h
a
n
g
e

a
g
re
e
ments
P
h
y
sic
a
l
m
e
dia in t
r
a
nsit
Ele
c
tronic

mess
a
g
i
n
g
B
usiness in
f
o
r
mation
s
y
s
tems


E
L
ECT
R
O
N
I
C COM
M
ER
C
E SE
R
V
I
CES
Ele
c
tronic

c
om
me
r
c
e

On
-
L
i
n
e

T
r
a
nsa
c
t
i
ons

P
ubl
i
c
l
y

a
v
a
i
l
a
ble in
f
o
rm
a
t
i
on


MO
N
I
TO
R
I
NG Audit
7

Release date: August 15, 2012

l
og
g
ing Moni
t
o
r
ing

s
y
s
t
e
m use

P
rot
ec
t
i
on of

log

inf
o
rm
a
t
i
on
Admin
i
str
a
tor
a
nd op
e
r
a
tor
lo
g
s
Fa
ult

log
g
i
n
g

Clock
s
y
n
c
h
roni
z
a
t
i
on


VIII.

A
cce
ss Co
nt
r
ol

A
cce
ss
t
o info
r
m
a
t
i
on, info
r
mation
s
y
stems,
i
n
f
o
r
mation pro
ce
ss
i
ng fa
c
i
l
i
t
i
e
s, and

busin
e
ss

p
r
o
ce
sses
w
i
l
l

be

c
ontroll
e
d

on the b
a
sis

of b
u
sin
e
ss and s
ec
u
r
i
t
y

r
e
quir
e
m
e
nts.
F
o
r
mal
p
r
o
ce
du
r
e
s will

be

d
e
v
e
l
op
e
d
a
nd i
m
plem
e
nted to

c
ontrol a
c
c
e
ss r
i
g
hts
t
o info
r
mation,
info
r
mation
s
y
stems, and

se
r
vic
e
s to p
r
e
v
e
nt unau
t
hori
z
e
d
acce
ss. U
s
e
rs
w
i
l
l be m
a
de

a
w
a
re

o
f
their

r
e
spons
i
b
i
l
i
t
i
e
s for

maintaining

e
f
f
e
c
t
i
ve

a
cc
e
ss cont
r
ols, p
a
rticul
a
r
l
y

re
g
a
rdi
n
g

the u
s
e

of
p
a
sswo
r
ds. The

dis
t
ri
c
t
s
y
s
tem
a
cce
ss

rul
e
s en
f
o
rc
e
s the
e
x
p
ec
tation
t
h
a
t use
r
s ha
v
e

ind
i
vidual
l
y
a
ss
i
g
n
e
d u
s
e
r n
a
m
e
s and

use
r
s und
e
rst
a
nd t
h
a
t
t
h
e
y

a
re

h
e
ld

acc
oun
t
a
ble
f
o
r
a
c
t
i
ons t
a
k
e
n with
their

user

n
a
me

a
nd p
a
s
s
wo
r
d. Us
e
rs

will

be

made

a
w
a
re

of t
h
e
ir
re
spons
i
bi
l
i
t
ies to
e
nsure
un
a
t
t
e
nd
e
d
e
quip
m
e
nt h
a
s ap
p
rop
r
iate

p
rot
ec
t
i
on.


A
c
le
a
r
d
e
sk rule

for

p
a
p
e
rs
a
nd
r
e
movable

stor
a
ge

d
e
vic
e
s

a
nd a

c
l
ea
r
s
c
re
e
n rule

is
s
tro
ng
l
y
r
e
c
om
m
e
nd
e
d

e
sp
e
c
ial
l
y

in wo
r
k
a
re
a
s ac
ce
ss
i
ble

b
y

students, p
a
r
e
nts, or
t
he

publ
i
c
.
S
teps
w
i
l
l be

tak
e
n to r
e
str
i
c
t a
c
ce
ss

to ope
ra
t
i
ng

s
y
stems
t
o
a
uthori
z
e
d us
e
rs. Prot
ec
t
i
on will

be

re
quir
e
d
c
om
m
e
nsur
a
te
w
i
t
h the
r
i
sks wh
e
n using

mob
i
le
c
ompu
t
ing

a
nd

tel
e
w
o
rking

f
ac
i
l
i
t
ies.

<dis
t
rict
n
a
m
e
>

insur
e
s

a
ppro
p
ri
a
te
p
a
sswo
r
d po
l
ici
e
s, aut
o
-
locki
n
g

of
s
y
s
tems
a
nd
other

P
C s
ec
u
r
i
t
y

pol
i
c
ies
b
y

use
o
f

the distri
c
t’s Dire
c
to
r
y

G
r
oup
P
ol
ic
y

a
nd on
l
y

t
h
e

dis
t
ri
c
t’s
domain
a
dm
i
nis
t
r
a
tors h
a
ve

the

a
bi
l
i
t
y

to c
h
a
n
g
e

g
roup

p
o
l
ic
y
. The

p
roc
e
dur
e
s f
o
r

ac
c
e
ss
t
o
s
y
stems v
a
r
y d
e
p
e
ndi
n
g

on the
t
y
pe

of

ac
c
e
ss and how

that
a
c
ce
ss
i
s f
ac
i
l
i
t
a
ted.


A
n
y

u
s
e
rs
re
qu
i
ring

l
o
ca
l

a
dm
i
nis
t
r
a
tor
ac
c
e
ss
t
o se
r
v
e
r
s
y
stems
m
ust fi
l
l out

a
n
<
inse
r
t

y
our
fo
r
m name

h
e
r
e
>
.

All empl
o
y
e
e
s will

r
e
c
e
ive t
ra
i
n
ing

on the use

o
f p
a
sswo
r
ds, wh
e
n
s
y
s
t
e
ms
a
r
e to be lo
c
k
e
d or tim
e
d ou
t
, how the

dif
f
e
r
e
nt
l
e
v
e
ls

of

info
r
mation s
ec
u
r
i
t
y

d
e
te
r
m
i
n
e
s how
info
r
mation ass
e
ts a
r
e

h
a
ndled,
a
nd wh
e
n

a
nd h
o
w in
f
o
r
mation wi
l
l be t
r
a
nsport
e
d
a
nd
disposed o
f
. All us
er
s r
e
quiri
n
g remo
t
e

ac
c
e
ss
t
o the

dis
t
ri
c
t’s

n
e
twork

to wo
r
k
r
e
m
o
te
l
y

a
re

r
e
quir
e
d to

fill out and submit for

man
a
g
e
ment

a
ppro
v
al
.


The

dis
t
ri
c
t’s
S
y
stem
D
e
v
e
lop
m
e
nt

L
i
f
e
c
y
c
l
e

(
S
D
L
C)
a
nd i
t
s En
d
-
Us
e
r
De
v
e
lop
m
e
nt s
t
a
nd
a
rds
d
e
fine

r
e
spons
i
bi
l
i
t
ies
f
or

e
nsuri
n
g
a
ppro
p
r
i
a
te
c
o
n
trols a
r
e

pr
o
g
r
a
m
m
e
d
a
c
c
o
r
ding

to
business n
ee
ds a
n
d inf
o
rm
a
t
i
on s
e
c
u
r
i
t
y

r
e
quir
e
m
e
nts.


IX.

I
nf
o
r
m
a
t
ion

S
yst
e
m

A
cqu
is
i
ti
o
n
, D
e
v
e
lo
p
me
n
t, and

M
ai
n
t
e
n
a
n
c
e

I
n
o
rd
e
r to
e
ns
u
re

d
a
ta
a
n
d softw
a
re

in
te
g
r
i
t
y
,

c
on
f
identiali
t
y
,
a
nd
a
v
a
i
l
a
bi
l
i
t
y
,
a
ll

n
e
w
s
y
stems

(o
ff
-
th
e
-
shelf

or

c
ustom

bui
l
t) must

be

d
e
si
g
n
e
d

with s
ec
u
r
i
t
y

in
m
ind.
T
his
i
s mo
s
t e
f
f
e
c
t
i
ve
wh
e
n se
c
u
ri
t
y

is p
l
a
nn
e
d

a
nd i
m
plem
e
nted th
r
o
u
ghout
t
he

e
nt
i
re

l
i
fe

c
y
c
l
e
.

A
cce
ss
t
o
s
y
stem
files
a
nd p
r
o
g
r
a
m sour
c
e

c
ode

will

be

c
ontroll
e
d

a
nd i
n
fo
r
mation
t
ec
hnol
o
gy

p
r
oj
e
c
ts and
support
ac
t
i
vi
t
ies
c
ondu
c
ted in a

se
c
u
r
e

mann
e
r.
T
ec
hnic
a
l vu
l
n
e
r
a
bi
l
i
t
y

m
a
n
a
g
e
ment will

be
8

Release date: August 15, 2012

i
m
plem
e
nted
w
i
t
h me
a
sur
e
ments t
a
k
e
n to co
n
fi
r
m

e
f
f
e
c
t
i
v
e
n
e
ss.


Distri
c
ts
s
hould unde
r
take

the
f
ol
l
owing

in
i
t
i
a
t
i
v
e
s as a

b
a
s
e
l
i
ne

to s
e
c
u
r
e

i
n
f
o
r
mation
s
y
stem
ac
quis
i
t
i
on, mainten
a
n
ce
,

a
nd d
e
v
e
lop
m
e
nt.


En
c
r
y
pt
i
on

-

En
c
r
y
pt
i
on

should be

use
d
, wh
e
r
e

a
p
p
r
opri
a
te, to p
r
ot
e
c
t sensi
t
ive
in
f
o
r
mation
a
t r
e
st and in tr
a
nsi
t
. All

r
e
mo
t
e

a
c
ce
ss should be

e
n
c
r
y
pted

a
nd

s
ec
u
r
e
d (i
.
e
.
VPN tunnel
)
. R
e
mo
t
e

ac
c
e
ss should on
l
y

be

g
r
a
nted
w
h
e
n
a
n
e
s
t
a
bl
i
shed

busin
e
ss ne
e
d
e
x
i
s
ts.


N
e
twork

a
nd
S
y
stem M
o
ni
t
o
r
ing

-

P
roc
e
dur
e
s sh
o
uld be in pla
c
e

to
m
oni
t
or

a
nd r
e
v
i
e
w
n
e
twork

a
nd inf
o
rm
a
t
i
on te
c
hnolo
g
y

s
y
stems. Dis
t
ri
c
t N
e
twork

a
nd
S
ec
u
r
i
t
y

t
e
a
ms
s
hould
maintain
a
nd r
e
view

v
a
r
i
ous se
c
u
r
i
t
y

a
nd
a
cce
ss

r
e
ports
r
e
g
ul
a
r
l
y

to

e
nsure

the s
ec
u
r
i
t
y

of
n
e
twork

a
nd inf
o
rm
a
t
i
on te
c
hnolo
g
y

s
y
stems.
S
o
m
e

of the

s
y
stems d
i
stricts
ca
n
e
mp
l
o
y

to
v
e
ri
f
y

a
nd maintain

I
T

s
e
c
u
r
i
t
y

inclu
d
e

S
N
O
RT,
N
ES
S
US, Tr
ac
king

S
y
s
t
e
m A
c
c
e
ss
(
TSA),
a
nd
N
a
g
ios. The
s
e

s
y
s
t
e
ms c
a
n be

used

to de
t
e
r
m
ine if

a
n inapp
r
opr
i
a
te
ac
ce
ss has b
e
e
n
a
t
t
e
mp
t
e
d
a
nd to pr
e
v
e
nt unautho
r
i
z
e
d
ac
c
e
ss
t
o
s
y
stems and d
a
ta.
A
n
y

c
o
n
trols
depl
o
y
e
d should be

b
a
s
e
d on a

risk
a
n
a
l
y
si
s
.


D
a
ta
A
c
ce
ss
R
e
vi
e
w

-

A
cce
ss
t
o d
a
ta should also

be

re
vie
w
e
d. A
s
y
stem like
T
S
A should be
used

to c
a
pture

e
mp
l
o
y
e
e

ac
c
e
ss
t
o se
n
si
t
ive d
a
ta.

The

s
y
stem
p
rovid
e
s pr
o
ce
sses that
c
a
n
be

used

b
y

mu
l
t
i
ple
a
ppl
i
ca
t
ions
t
o sto
r
e

tr
ac
ki
n
g

ac
t
i
vi
t
y

d
a
ta.
A
ddi
t
ional
l
y
, th
i
s
s
y
stem
p
r
ovides a

pr
o
ce
ss
t
o

a
rc
hive the

d
a
ta.


I
n
fo
r
mation
S
y
stem
A
c
q
uis
i
t
i
on
a
nd D
e
v
e
lop
m
e
nt

-

W
h
e
re

a

dis
t
ri
c
t
i
s involved in the
pur
c
h
a
se

o
f
a
ppl
i
ca
t
i
ons

or

the
c
ustom

d
e
v
e
lop
me
nt or
a
dopt
i
on of

a
ppl
i
ca
t
ions
t
o support
their

busin
e
ss pro
ce
s
s
e
s it

is
s
tron
g
l
y

r
e
c
om
m
e
n
d
e
d that th
e
y

a
dh
e
r
e

to
t
he

p
r
oje
c
t
man
a
g
e
ment p
r
o
ce
du
r
e
s

identifi
e
d in
t
he

P
roj
ec
t Man
a
g
e
ment

B
o
d
y

of
K
n
owl
e
dge
(PEM
B
O
K
)

a
nd include

info
r
mation s
ec
u
r
i
t
y

thr
o
u
g
hout
t
he

d
e
v
e
lop
m
e
nt

a
nd/or
p
r
o
c
u
re
m
e
nt
c
y
c
le

f
r
om
r
e
quir
e
ments

g
a
th
e
ring

t
h
rou
g
h i
m
plem
e
ntation.
E
ac
h
info
r
mation
s
y
stem h
a
s

a
n identifi
e
d

own
e
r
a
nd

eac
h i
n
fo
r
ma
t
ion
s
y
stem
ac
quis
i
t
i
on or

d
e
v
e
lop
m
e
nt p
r
oje
c
t has
a
n i
d
e
nt
i
fi
e
d

sponsor. E
ac
h
s
y
stem t
h
a
t
i
s de
ve
loped should h
a
ve

c
le
a
r
l
y

d
e
fin
e
d
ac
c
e
ss ne
e
ds, us
e
r
a
utho
r
i
z
a
t
i
on n
ee
ds,
sep
a
r
a
t
i
on

of

dut
i
e
s, and

a
c
c
ountab
i
l
i
t
y

c
ontrols,


Mainten
a
n
c
e

o
f

I
n
f
o
rm
a
t
ion
S
y
s
t
e
ms

-

I
n
f
o
r
m
a
t
i
on
s
y
stems r
e
qu
i
re

o
n
g
oi
n
g

mainte
n
a
n
c
e

to r
e
main both ope
r
a
t
i
on
a
l and s
ec
u
r
e
. Mainten
a
n
c
e

c
h
a
n
g
e
s to appli
c
a
t
i
ons, midd
l
e
w
a
r
e
,
a
nd h
a
rd
w
a
re

should be

r
e
vi
e
w
e
d
a
nd
a
p
p
rov
e
d to en
s
u
r
e

a
ll

risk
a
nd i
m
p
ac
t

(
b
oth
t
o the
a
ppl
i
ca
t
i
on
a
nd
a
ll

dow
n
str
ea
m r
e
sou
r
ce
s)

a
r
e

f
ul
l
y

und
e
rstood.


On
c
e

the
b
a
s
e
l
i
ne

c
o
n
ce
p
ts have

b
ee
n

e
stablished

in
t
o the so
f
tw
a
re

d
e
v
e
lo
p
ment l
i
f
e
-
c
y
c
le,
a
ddi
t
ional
g
o
a
ls
s
hould
b
e

e
stablished.

Th
e
s
e

g
o
a
ls
s
hould oc
c
ur

a
t e
a
c
h s
t
a
ge

of the

l
if
e
-
c
y
c
l
e
.
S
p
ec
ific

g
o
a
ls for

e
a
c
h st
a
ge

should b
e
:


9

Release date: August 15, 2012

P
roj
ec
t

I
ni
t
iation

D
e
fine

sensit
i
vi
t
y

o
f in
f
o
rm
a
t
i
on invo
l
v
e
d

D
e
fine

c
ritic
a
l
i
t
y

o
f
s
y
s
t
e
m

D
e
fine

s
e
c
u
r
i
t
y

r
isks

D
e
fine

le
v
e
l of p
r
ot
e
c
t
i
on n
ee
d
e
d

D
e
fine

re
g
ulato
r
y
/
le
g
a
l
/
p
riv
a
c
y

i
ssues


F
un
c
t
i
on
a
l D
e
s
i
g
n

D
e
te
r
m
i
ne

a
c
c
e
ptable

le
v
e
l of
r
isk

I
d
e
nt
i
f
y

se
c
u
ri
t
y

r
e
quir
e
ments
a
nd
c
ontrols


D
e
si
g
n
S
p
e
c
ific
a
t
i
on

D
e
si
g
n
s
ec
u
r
i
t
y

c
ontrols

R
e
view

d
e
s
i
g
ns


S
o
f
tw
a
re

D
e
v
e
lop
m
e
nt

Do
c
ument s
ec
u
ri
t
y

is
s
u
e
s

a
nd
c
ontrols

T
e
st
code

a
s it

d
e
v
e
lops


R
e
le
a
se

a
nd
M
a
in
t
a
in
R
e
view

tests
C
e
rti
f
y

s
y
stem

Const
a
nt
l
y

a
ssess s
e
c
u
r
i
t
y

posit
i
on


X.

I
nf
o
r
m
a
t
ion

S
ec
u
r
ity I
n
c
i
d
e
n
t
M
a
n
ag
e
m
e
n
t

An in
f
o
r
mation s
ec
u
r
i
t
y

or

priv
a
c
y

inci
d
e
nt
i
s a sin
g
le, or

s
e
ri
e
s
o
f, un
wa
n
t
e
d or
u
n
e
x
p
ec
ted

info
r
mation s
ec
u
r
i
t
y

e
v
e
nts
t
h
a
t r
e
sult

in ha
r
m, or pose

a

si
g
n
i
fi
ca
nt
t
h
r
e
a
t

of

h
a
rm to
in
f
o
r
mation
a
ssets, prot
ec
ted stude
n
t

d
a
ta, or

the o
r
g
a
ni
z
a
t
i
on’s in
f
r
a
stru
c
tu
r
e
. E
x
a
mp
l
e
s of
in
f
o
r
mation s
ec
u
r
i
t
y

or p
r
iv
a
c
y

incid
e
nts

includ
e
:



A
n
y

inci
d
e
nt r
e
le
v
a
nt
t
o the
O
re
g
on

I
d
e
nt
i
t
y

T
h
e
ft

P
rot
ec
t
i
on A
c
t



A
n
y

inci
d
e
nt r
e
le
v
a
nt
t
o
F
ER
P
A



A
n
y

inci
d
e
nt r
e
le
v
a
nt
t
o the
Hea
l
t
h

I
ns
u
r
a
n
c
e

P
o
r
tabil
i
t
y

a
nd
A
cc
ountabil
i
ty

A
c
t

(
H
I
P
A
A
)



L
ost or stolen do
c
u
m
e
nts containing

sensit
i
ve

inf
o
rm
a
t
i
on



Conv
e
rs
a
t
i
on
c
ontaining s
e
nsi
t
ive in
f
o
r
mation ov
e
rh
e
a
rd
b
y

u
na
uthori
z
e
d p
e
rson
w
ho discloses the

info
r
mation
t
o the public



A vi
r
us or
w
o
r
m has
b
e
c
ome
w
ide sp
r
e
a
d



A k
e
y
stroke

l
o
g
g
e
r h
a
s
i
n
fec
ted

a

wo
r
kstation us
e
d to ent
e
r s
e
nsi
t
ive in
f
o
r
mation



W
e
b site d
e
f
a
c
e
d



Un
a
uthori
z
e
d
ac
c
e
ss
t
o info
r
mation w
a
s

g
a
ined



A
n
y

kind of
s
a
bot
a
g
e

th
a
t e
f
fe
c
ts
i
n
f
o
r
mation



D
e
nial of

se
r
v
i
c
e

a
t
ta
c
ks.


The

dis
t
ri
c
t

will

identi
f
y

a
nd do
c
ument
c
a
p
a
bi
l
i
t
ies to r
e
spond to info
r
mation s
ec
u
r
i
t
y

a
nd

p
r
iva
c
y

10

Release date: August 15, 2012

incid
e
nts
i
nvolv
i
ng

info
r
m
a
t
i
on in a
n
y

fo
r
m
wh
e
ther

e
l
e
c
troni
c
,
d
a
ta, p
a
p
e
r
o
r v
e
r
b
a
l. At a

m
i
ni
m
um a b
a
s
ic in
c
ident
re
sponse pl
a
n inclu
d
e
s:



P
rima
r
y

point

of
c
on
t
ac
t

a
nd b
ac
kup
f
o
r
a
n inf
o
rm
a
t
i
on s
ec
u
r
i
t
y

incid
e
nt.



I
d
e
nt
i
fi
ca
t
i
on of

a
ddi
t
io
n
a
l r
e
sour
c
e
s (distri
c
t p
e
rsonn
e
l, E
S
D p
e
rsonn
e
l,
O
DE
pe
rsonn
e
l)



P
ro
c
e
ss for

r
e
porti
n
g

a
nd

re
sponding

to

a
n

info
r
m
a
t
i
on s
ec
u
r
i
t
y

incid
e
nt



P
ol
i
c
e

d
e
p
a
rtme
n
t cont
ac
t
i
f the

incid
e
nt
i
s c
r
i
m
inal in natu
r
e



P
rima
r
y

point

of
c
on
t
ac
t

for

i
n
f
o
r
mation s
ec
u
ri
t
y

a
nd p
r
iva
c
y

inci
d
e
nts



B
ac
kup
p
oint

of
c
onta
c
t
f
or

info
r
mation

s
ec
u
r
i
t
y

a
nd p
r
iva
c
y

incid
e
nts



Oth
e
r in
f
o
r
mati
o
n s
e
c
u
r
i
t
y

a
nd
p
riv
a
c
y

inci
d
e
nt r
e
sour
ce
s


The

f
ol
l
owing

is a
b
a
sic

p
r
o
ce
ss f
o
r id
e
nt
i
f
y
i
n
g
a
nd r
e
sponding

to

a
n info
r
mation s
ec
u
r
i
t
y

o
r
p
r
iva
c
y

incid
e
nt:


1.
I
d
e
nt
i
f
y

the
e
v
e
nt

2. H
a
s prot
ec
t
e
d d
a
ta
b
ee
n
l
ost, e
x
pose
d
, or
d
isclose
d
?

I
f

y
e
s,

wh
a
t
t
y
p
e
?

a
.

F
ER
P
A prote
c
ted stude
n
t

d
a
ta

b.
P
e
rson
a
l
l
y
I
d
e
nt
i
fi
a
ble

I
n
fo
r
mation as d
e
fi
n
e
d in
t
he

O
r
e
g
on

I
d
e
nt
i
t
y

T
h
e
ft

P
rot
ec
t
i
on A
c
t

3.
I
s the
o
r
g
a
ni
z
a
t
i
on
a
t risk of
c
ont
i
nuing

to
l
ose
da
t
a
?

4.
I
d
e
nt
i
f
y
, do
c
ument
a
nd

e
x
ec
ute steps to r
e
-
medi
a
t
e

the p
r
oblem

5. Conta
c
t a
n
y

o
f the

f
ol
l
o
w
ing

a
s n
e
ce
ss
a
r
y
:

a
.

O
r
e
g
on
D
e
p
a
rtme
n
t of
E
du
ca
t
i
on
b.
P
ol
i
c
e

c
.

O
r
e
g
on
D
e
p
a
rtme
n
t of
C
onsum
e
r
a
nd

B
usiness
S
e
rvi
ce
s (
f
o
r loss
e
s involv
i
ng

d
a
t
a
p
r
ote
c
ted und
e
r the

O
re
gon

I
d
e
nt
i
t
y

T
h
e
ft Prote
c
t
i
on A
c
t)

d. Oth
e
r s
c
hools, dis
t
ri
c
ts, E
S
Ds th
a
t
ma
y

be

e
x
p
e
ri
e
n
c
i
n
g

the s
a
m
e

is
s
ue

e
.

Oth
e
rs
a
s n
e
ce
ss
a
r
y

6. On
c
e

the in
c
i
d
e
nt
i
s r
e
solved,
c
ondu
c
t a
l
e
ssons le
a
rn
e
d
e
x
e
r
c
ise to pr
e
v
e
nt

r
e
p
e
t
i
t
i
o
n
.


XI.

B
u
si
n
e
ss Co
n
t
i
nu
ity
M
a
n
ag
eme
n
t

The

pur
p
ose
o
f busi
n
e
ss continu
i
t
y

man
a
g
e
ment is to count
e
r
a
c
t
i
nte
r
ruptions
t
o busin
e
ss

ac
t
i
vi
t
ies
a
nd to

p
r
ote
c
t
c
ritic
a
l bus
i
n
e
ss pro
ce
sses

f
rom the
e
f
f
e
c
ts of
m
a
jor
fa
i
l
u
re
s of
info
r
mation
s
y
stems or
d
isaste
r
s and

to ensu
r
e

th
e
ir time
l
y

re
sumpt
i
on. A
b
usiness
c
ont
i
nui
t
y
man
a
g
e
ment p
r
o
ce
ss wi
l
l be
e
stablished

to
m
in
i
m
i
z
e

the impa
c
t on
t
he

dis
t
ri
c
t and
rec
o
v
e
r
f
rom
loss

of in
f
o
r
mation ass
e
ts
t
o
a
n
ac
c
e
ptable

le
v
e
l
t
h
r
ou
g
h

a

c
omb
i
n
a
t
i
on of

p
r
e
v
e
nt
i
ve

a
nd
r
e
c
ov
e
r
y

c
ontrols. A ma
n
a
g
e
d pr
o
c
e
ss wi
l
l be d
e
v
e
loped
a
nd maintain
e
d

f
o
r busin
e
ss continu
i
t
y
throu
g
hout
t
he

a
g
e
n
c
y

t
h
a
t add
re
sses t
h
e

info
r
ma
t
ion se
c
u
r
i
t
y

r
e
qui
r
e
ments n
ee
d
e
d f
o
r the
dis
t
ri
c
t’s busin
e
ss continu
i
t
y
.


T
e
mp
l
a
tes
a
nd
e
x
a
mp
l
e
s

of

how to d
e
v
e
lop a dist
r
ict busin
e
ss
continu
i
t
y

p
l
a
n
a
re
a
v
a
i
l
a
ble

a
t
ht
t
p
://
www
.o
re
g
on
.
g
o
v
/
DA
S
/
E
I
SP
D
/
B
C
P
/
F
o
r
m
s
_
E
x
a
mp
l
e
s
.sht
m
l


F
or

more

i
n
fo
r
mation a
b
out
t
he dis
t
ri
c
t’s busin
e
ss

c
ont
i
nui
t
y

plan
(
B
C
P
) pl
ea
se

c
on
t
ac
t
t
he

dis
t
ri
c
t supe
r
in
t
e
nd
e
nt’s

o
f
fi
ce
.

11

Release date: August 15, 2012


XII. C
o
m
p
l
i
a
n
c
e

The

d
e
s
i
g
n, op
e
r
a
t
i
on, us
e
,
a
nd man
a
g
e
ment of

in
f
o
r
mation and info
r
mati
o
n
a
ssets
a
re

sub
j
ec
t

to

statuto
r
y
,
re
g
ulato
r
y
,
a
nd

c
ontr
ac
tual
s
ec
u
r
i
t
y

r
e
q
u
ir
e
ments.
C
omp
l
ian
c
e

w
i
t
h le
g
a
l
r
e
quir
e
ments is ne
ce
ssa
r
y

to

a
void br
e
ac
h
e
s of
l
a
w, st
a
tu
t
o
r
y
,
r
e
g
u
l
a
to
r
y

or
c
ont
r
ac
tual

obl
i
g
a
t
i
ons,
a
nd of

a
n
y s
ec
u
r
i
t
y

re
qui
r
e
ments.

L
e
g
a
l r
e
qui
r
e
ments in
c
lu
d
e
, b
u
t a
r
e

not
l
i
m
i
t
e
d
to:

state

statut
e
s, f
e
d
e
r
a
l statut
e
s and

r
e
g
ulations,

c
ontr
ac
tual

a
g
re
e
ments, intelle
c
tual p
r
op
e
r
t
y

ri
g
h
t
s, co
p
y
r
i
g
hts,

a
nd p
r
ote
c
t
i
on
a
nd p
r
iv
a
c
y

of

p
e
rson
a
l
i
n
f
o
r
mation.


The

f
ol
l
owing f
e
d
e
r
a
l a
n
d st
a
te st
a
tu
t
e
s and

r
e
g
u
l
a
t
i
ons
a
pp
l
y
:


F
e
de
r
al R
e
g
u
latio
n
s



F
ER
P
A



C
I
P
A



COP
P
A



H
I
PP
A


Or
e
gon

R
e
vised
S
ta
t
u
tes (ORS)
Re
f
ere
nc
e
s



ORS

326.565
S
tand
a
rds
f
or

student r
ec
o
rds;
r
ules



ORS

326.575 R
ec
o
r
ds
w
h
e
n stud
e
nt
t
r
a
nsf
e
rs or

i
s pl
ace
d
e
ls
e
wh
e
r
e
; no
t
ice

to p
a
r
e
nts;

a
mendm
e
nts
t
o
r
ec
o
r
ds; rules



ORS

336.187
W
h
e
n sc
h
ool autho
r
i
z
e
d to d
i
s
c
lose info
r
mation about stud
e
nt;

i
m
mun
i
t
y

of

r
e
c
ip
i
e
nt



ORS

343.045 Crite
r
ia
f
or

d
e
v
e
lop
m
e
nt and op
e
r
a
t
i
on of

spe
c
ial p
r
o
g
ra
ms;

r
ules



ORS

343.155
P
ro
c
e
dur
e
s

to prot
ec
t r
i
g
hts of
c
hi
l
d

with d
i
s
a
bi
l
i
t
y
; rul
e
s; co
n
tent of
rul
es


Or
e
gon

Ad
m
i
n
ist
r
a
t
i
v
e

Ru
l
e
s (OA
R
)
Re
f
e
r
e
n
c
e
s



581
-
021
-
0250 An
E
du
c
a
t
ional Ag
e
n
c
y

or

I
nst
i
tu
t
i
on
'
s
P
ol
i
c
y

R
e
g
a
rdi
n
g

S
t
ud
e
nt

Edu
ca
t
i
on Re
c
o
r
ds



581
-
021
-
0265 Confid
e
nt
i
a
l
i
t
y

of Stud
e
nt Edu
c
a
t
i
on Re
c
o
r
ds



581
-
021
-
0270 Ri
g
hts of

Insp
ec
t
i
on
a
nd Revi
e
w of

Edu
ca
t
ion
R
ec
o
r
ds



581
-
021
-
0330
P
rior

Conse
n
t
t
o Dis
c
lose

I
n
f
o
r
mat
i
on



581
-
021
-
0340 E
x
ce
pt
i
ons to
P
rior

Conse
n
t



581
-
021
-
0360 Condi
t
ions for

the
D
isclosure

o
f

I
n
fo
r
mation
t
o Oth
e
r
E
du
c
a
t
i
on
a
l

Ag
e
n
c
ies or

I
nst
i
tu
t
ions



581
-
021
-
0370 Condi
t
ions for

the
D
isclosure

o
f

I
n
fo
r
mation for

Fe
d
e
r
a
l or

S
tate

P
ro
g
r
a
m
P
u
r
poses



581
-
021
-
0371 Condi
t
ions for

Dis
c
losure

o
f

I
n
f
o
r
mation
t
o Co
m
p
l
y

with
J
udici
a
l

O
r
d
e
r
o
r Subpo
e
na



581
-
021
-
0372 Condi
t
ions for

the
D
isclosure

o
f

I
n
fo
r
mation
W
h
e
n

L
e
g
a
l
A
c
t
i
on

I
ni
t
iat
e
d



581
-
021
-
0380
Condi
t
ions f
o
r the

Dis
c
losure

o
f

I
n
fo
r
mation
i
n H
ea
l
t
h
a
nd

S
a
f
e
t
y

Eme
r
g
e
n
c
i
e
s

12

Release date: August 15, 2012



581
-
021
-
0390 Condi
t
ions for

the
D
isclosure

o
f
D
i
r
e
c
to
r
y

I
n
fo
r
mation



581
-
021
-
0391 Condi
t
ions for

the
D
isclosure

o
f

I
n
fo
r
mation
t
o
J
uv
e
ni
l
e

J
u
s
t
i
c
e

Ag
e
n
c
ies



581
-
021
-
0400 R
ec
o
r
d
k
e
e
ping

R
e
quir
e
m
e
nts



581
-
021
-
0430 The

Distr
i
but
i
on of

Rules Rel
a
t
i
ng to
S
tudent R
ec
o
r
ds



R
e
f
ere
n
c
e

(
l
i
nks to w
e
b

p
a
g
e
s)


Com
m
unic
a
t
i
ons
a
nd Op
e
r
a
t
i
ons Man
a
g
e
ment

I
S
O
_
I
EC
_2700
2
-
2005.
pdf


W
o
r
kstation
S
ec
u
r
i
t
y

P
ol
ic
y

(
ht
t
p
://
www
.
s
a
ns
.
o
r
g
/
s
ec
u
r
i
t
y
-

r
e
sour
c
e
s
/
pol
i
c
ie
s
/200802_002.
do
c
)


S
ustain
a
ble
Ac
quis
i
t
i
on
a
nd
D
ispo
s
a
l of El
ec
tronic

Equipm
e
nt



S
tat
e
wide

P
ol
ic
y

10
7
-

009
-
0050
(
ht
tp
://
www
.o
r
e
g
on
.
g
ov
/
D
A
S
/
O
P
/
do
c
s
/
pol
ic
y
/
state
/107
-
009
-
00
5
0.
pd
f
?
g
a
=
t
)


B
us
i
n
e
ss
C
ont
i
nui
t
y

P
lans,
ht
t
p
://
www
.o
re
g
o
n
.
g
ov
/
DA
S
/
E
I
SPD
/
B
C
P
/
F
o
r
m
s
_
E
x
a
mp
l
e
s
.sht
m
l


Dist
r
ict

P
ol
i
c
ies



to be

d
e
v
e
loped in

s
e
p
a
r
a
te d
o
c
ument


Dist
r
ict

A
d
m
i
n
ist
r
a
t
i
v
e

Ru
l
e
s



to be d
e
v
e
loped

in sep
a
r
a
te d
o
c
ument


D
e
f
i
n
itio
n
s


Ass
e
t

-

A
n
y

r
e
sou
r
c
e

that

c
ould cont
r
ibu
t
e

to
t
he

d
e
l
i
v
e
r
y

of a

s
e
rvi
c
e

that is
rac
k
e
d
v
i
a
a
n
a
sset t
a
g

a
nd

r
e
por
t
e
d

on
a
nnu
a
l
l
y

for

v
a
l
u
e
.


E
n
ti
t
y
-

A
n
y

busin
e
ss u
n
i
t
, d
e
p
a
rtme
n
t, group, or

th
i
rd p
a
r
t
y
, in
te
rn
a
l or

e
x
t
e
rn
a
l
t
o
the dis
t
ri
c
t, r
e
spons
i
ble
f
or

maintaining

dis
t
ri
c
t ass
e
t
s.


Risk

-

Those

fac
tors t
h
a
t could
a
f
f
ec
t

con
f
i
d
e
nt
i
a
l
i
t
y
,
a
v
a
i
l
a
bi
l
i
t
y
,
a
nd in
te
g
r
i
t
y

of the
dis
t
ri
c
t
'
s k
e
y

info
r
m
a
t
i
on
a
ssets
a
nd
s
y
stems.

I
n
f
o
S
e
c

is r
e
spons
i
ble
f
or

e
n
s
u
r
ing

the
in
t
e
g
ri
t
y
,
c
o
n
fid
e
nt
i
a
l
i
t
y
,

a
nd
a
v
a
i
l
a
bi
l
i
t
y

o
f
c
ritic
a
l
i
n
f
o
r
mation and
c
ompu
t
ing

a
ssets,
while min
i
m
i
z
ing

the impa
c
t of s
e
c
u
r
i
t
y

p
roc
e
du
r
e
s and

pol
i
c
ies upon business
p
r
odu
c
t
i
vi
t
y
.


Rol
e
s a
n
d

R
e
s
p
o
n
si
b
i
l
i
t
ies

(to be

d
e
v
e
lo
p
e
d)