The following terminology is used throughout the Information Technology (IT) FAQs below. As needed, a brief note on roles and responsibilities has been added in italics to the end of each answer to help describe the different departments and employees that should be involved in establishing and maintaining the related IT policies and procedures.
IT–IT department personnel within the school district responsible for managing the district’s hardware, software, systems, and networks. IT personnel are generally led by a director who has the ultimate authority within their department. IT personnel who set and control user access rights within a system, commonly called system administrators, should not be end users on the systems they control. However, they should have the ability to assign system access for users based on guidance from the applicable system manager.
System manager–Generally a system’s highest supervisory-level user who communicates to IT the levels of user access to establish for all users of the system. For example, a business manager could be the system manager for the accounting system. As the system manager is a system user, the system manager should not have access to establish users’ roles and access in the system (see Information Technology above).
Human resources (HR)–Responsible for managing employee-related information regarding job roles, such as job transfers, promotions, or terminations.
Decision-makers–Those who have the authority over any given policy, process, or project within a school district and are accountable for the outcome. Generally, the governing board, superintendent, or other executive-level district administration.
1. Why should a school district implement and maintain an IT security framework in its policies and procedures?
A district should have IT policies and procedures that implement and maintain an IT security framework to help protect its systems and data and to document appropriate and inappropriate use of its IT resources. These policies and procedures outline district processes and provide written guidance to help ensure employee/contractor accountability when using the district’s IT resources. It is important to clearly communicate and disseminate all policies to district employees/contractors to ensure they understand and are aware of the district’s IT policies. The Arizona Department of Homeland Security (AZDOHS) has a list of resources including policies, standards, and procedures on its website that can help districts develop IT security framework policies and procedures.
System managers should work in conjunction with IT to develop and update policies in line with the district’s IT security framework, as needed. Decision-makers should be informed of those policies and procedures and approve their implementation, as well as make any key decisions necessary to facilitate the creation of the policies.
2. How can a school district review its current policies and procedures and determine what further policies and procedures are needed?
While most districts have some IT policies and procedures in place, those policies or procedures may not be comprehensive enough to cover all IT areas. The policies and procedures may also need to be more formally documented to fully implement the district’s IT security framework. A district should evaluate its current policies and procedures in comparison to IT standards and best practices (See FAQ #3) and identify any gaps that need to be addressed in its IT environment.
Significant gaps in a district’s IT security policies and procedures can be discovered through performing an organizational risk assessment. By identifying any risks that the district may take, supplementary controls may be designed to mitigate or minimize the risks.
The following list of policy topics is not intended to be exhaustive, so a district may have additional policy needs. Districts need to evaluate current systems and processes to be able to determine exactly what policies and procedures are needed to help secure its IT resources.
Some policy topics a district should address include the following:
3. What resources are available to help provide guidance on IT best practices?
There are a number of credible resources available that the IT industry uses to help shape policies. Some of these resources include, but are not limited to, Control Objectives for Information and Related Technology (COBIT), National Institute of Standards and Technology (NIST), Federal Information System Controls Audit Manual (FISCAM), and the International Organization for Standardization (ISO).
Other resources available to districts are the IT policies, standards, and procedures set forth by the Arizona Strategic Enterprise Technology (ASET) Office within the Arizona Department of Administration, and the IT Security policies, standards and procedures provided by the Arizona Department of Homeland Security (AZDOHS). ASET and AZDOHS established these policies for Arizona State agencies, and a district can adapt them for its own needs. It is important to note that a district should review these resources regularly because IT best practices can change rapidly. While these IT resources can act as baselines for IT practices, districts may need a higher level of control based on their specific circumstances.
Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) provides alerts, tips, and resources. For example, CISA’s Weak Security Controls and Practices Routinely Exploited for Initial Access alert discusses the weaknesses malicious cyber actors commonly exploit and best practices that entities can use to help strengthen their network security controls. CISA’s alert #StopRansomware: Vice Society, issued jointly with the Federal Bureau of Investigation and the Multi-State Information Sharing and Analysis Center (MS-ISAC), discusses ransomware attacks against the education sector and recommended mitigation techniques to reduce the risk of the cyber incidents.
IT should be responsible for knowledge and implementation of IT best practices within a district.
4. What role should decision-makers, system managers, IT, and HR have in managing computer systems and network access?
Managing access to computer systems and networks is a critical component of establishing an effective internal control system. User accounts at a district may change frequently as new employees or contractors are employed, change job duties, or leave the district. When employment changes are made, decision-makers, system managers, IT, and HR departments should work together to ensure all user accounts in the district systems are appropriate and necessary for district operations.
HR staff are generally responsible for maintaining employee/contractor information and are aware of new hires, terminated employees/contractors, job transfers, and other aspects of employment within the district. Decision-makers and system managers should communicate employee/contractor changes to HR and IT so they can use that information to ensure employees’/contractors’ system and network access levels are appropriate and critical systems and sensitive data are protected from unauthorized use.
The district should establish a process to ensure timely communication from decision-makers and system managers to HR to IT staff when there is an employee/contractor employment change that requires revised system access. IT should make all necessary user access changes in a timely manner, and the applicable decision-maker or system manager should review the changes for accuracy.
The decision-makers and system managers should work with HR and IT to ensure that access to critical systems and sensitive data is protected from unauthorized use.
5. Why should a school district restrict user access to least privilege necessary?
Restricting access to least privilege necessary provides users access to only the resources and data required to perform their jobs and restricts users from accessing resources that are not necessary for their job function. The concept of least privilege can be applied through the physical restriction of access to buildings or rooms, implementation of logical access controls within IT systems, minimizing of an individual’s capabilities, etc., across many aspects of managing a district, from restricting the physical key access to buildings to tightening logical access controls within IT systems.
Restricting access helps ensure employees/contractors cannot make unauthorized changes and that only those who need access to perform their job function can view sensitive data. For example, human resources (HR) clerks do not need to create purchase orders, and accounts payable (AP) clerks do not need to view or modify employee/contractor records as a part of their job function, so under the concept of least privilege, HR clerks would not have access to create purchase orders, and AP clerks would not have access to view or change the sensitive information maintained in employee records.
Implementing least privilege necessary can be done through broad role-based access rights based on a particular job function for a group of employees, and through very specific rule-based access rights that restrict individual employee/contractors access to specific files and folders. A district should determine the most appropriate way to establish user access to help control IT systems and data. The following Arizona Department of Homeland Security (AZDOHS) policies, standards, and procedures include information on restricting access:
Typically, system managers are responsible for deciding and approving appropriate access, and it is IT’s role to set up the users’ access and ensure the systems enforce the appropriate access levels. The system manager should not have the capability within the IT system to grant users access.
6. Why should a school district provide employees/contractors security awareness training at least annually that addresses prevention and detection of technology-related threats?
A district should provide annual security awareness training to help employees/contractors understand how to detect, prevent, and report technology-related threats. (i.e., phone and email phishing, website and ransomware attacks, and data breaches). The training should also provide detailed instructions regarding how to prevent, identify, and report suspected security risks and incidents. Security awareness training contents should be reviewed regularly and after significant organizational events such as a breach or change in policy.
Annual security awareness training is important because it can help keep employees/contractors up to date on possible threats to help protect a district’s information technology systems and sensitive data from cyberattacks and other security risks. The District should maintain evidence of training for those who attended the annual security awareness training, including the date(s).
Some resources available to districts for developing annual training are:
The Arizona Department of Homeland Security (AZDOHS) provides policies, standards, and templates related to security awareness training on their website. AZDOHS established these policies for Arizona State agencies, which a district could adapt for its own needs. Specifically, S8210 Security Awareness Training and Education Standard includes a detailed list of security training topics, along with the following AZDOHS policies, standards, and procedures that include information on security awareness training:
Additional resources are available from the National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA), and National Cybersecurity Alliance that can include security awareness training topics. The following list of security awareness training topics is not intended to be exhaustive, but rather to provide suggestions for annual training topics:
A district may include any additional training topics to fit its specific district needs. Districts may also refer to the following credible resources for information on security awareness training:
7. What are the components of an IT contingency plan?
It is important to note that IT contingency plans are just one part of a larger district-wide business continuity plan. Business continuity plans encompass activities necessary to continue business operations during and after a disruption. As such, decision-makers should not only develop continuity plans for the main district functions, but also coordinate with IT to ensure business continuity and IT capabilities are matched.
Since a district uses technology systems to perform many business operations, ensuring that the IT systems are available and running effectively is critical. IT contingency planning involves analyzing business functions and the IT systems, data, and resources necessary to support those business functions in case of emergencies or disasters and determining methods to restore full functionality. Such emergencies can include both natural disasters and human-error incidents.
The items necessary for each plan may vary by entity. Some basic contingency plan components include the following:
Typically, decision-makers should work in conjunction with the system managers, IT, and other appropriate district staff to determine appropriate key factors, such as acceptable downtime and criticality of systems and resources. These determinations will then enable IT to develop the contingency plan according to the agreed upon factors.
8. Why should contingency plans be tested and updated?
As hardware and software are updated and personnel changes occur, the current contingency plan may not work as intended. By testing the plan at least annually, the district can expose issues that may arise during an actual emergency and, thereby, develop new procedures to help ensure the contingency plan will work as needed in an emergency. The following Arizona Department of Homeland Security (AZDOHS) policy and template include information for contingency planning:
9. How should contingency plans be tested and updated?
There are many ways to test a contingency plan to give assurance about its effectiveness. Contingency plan testing should include verifying that all plan participants fully understand their responsibilities in addition to testing the assumptions of the plan where possible. Contingency plan testing can come in many forms, including (but not limited to):
The following AZDOHS policies and templates include information for contingency plan testing:
It is common to have IT responsible for incident response/disaster recovery testing; however, system managers, other applicable district staff, and decision-makers should also be accountable for their specific roles within the plan related to testing the plan’s effectiveness.
10. How should incident response/contingency plan tests be documented?
Incident response/contingency plan testing documentation should describe how the district performed the tests (i.e., walkthrough, tabletop discussion, system test, or full interruption, etc.), what the test results were, and any lessons learned from the test. If the tests did not identify any problems or gaps in the contingency plan, the district should document details of how the tests conducted showed that the plan worked. If the tests identified problems or gaps in the contingency plan, the district should document details of how the tests conducted showed that the plan failed, why it failed, and how the district can adjust the plan to compensate for the identified issues. Maintaining documentation of these tests, such as screenshots during tests, backup run results, and minutes from related meetings, provides support for auditor review and can help the district track contingency plan changes to ensure, throughout its lifetime, the plan meets the district’s current needs and the original design intention.
It is typically IT’s responsibility to determine appropriate incident response/contingency plan test documentation to illustrate the testing outcome and challenges; however, system managers and decision-makers should review test outcomes and be involved in approving contingency plan changes to address any issues noted in testing.
11. What is data classification and why is it important?
Data classification is a process to categorize data by its sensitivity. This categorization can be used to apply security standards and practices to groups of data. A district should identify what pieces of its data belong in classification groups, such as important, critical, confidential, or sensitive. Some data may belong in more than one group, such as personally identifiable information (PII), or student data as defined by the Family Education Rights and Privacy Act (FERPA). Classifying data into groups allows the district to ensure it appropriately protects information based on its classification(s).
Classifying data and restricting a user’s access based on the least privilege necessary are related, as unauthorized users should not have access to sensitive data, and authorized users should have only the access they need to that data to do their job. A district can use data classification in combination with assigning privileges to identify what data is appropriate for which positions and grant access to those employees/contractors (See FAQ #5 for additional information on least privilege).
It is common for IT to be responsible for establishing the controls that ensure the various classifications of data are adequately protected. IT should work with decision-makers and system managers to ensure that the controls in place for each data classification accurately reflects the district’s needs for data access and security.
12.Why is logging and monitoring important, and what types of IT activities should a school district log and review?
Proper monitoring can help a district be proactive and address potential threats and other issues before harm occurs. Logging and monitoring are essential to ensuring the integrity of district data. Logging involves keeping a record of changes and actions related to the district’s network and computer systems. Monitoring involves timely review of logged activities to ensure they are appropriate.
Most accounting and student information systems, as well as their databases, have logging functionality built in, often enabled by default. On the IT infrastructure side, operating systems and network devices, such as firewalls, web filters, and anti-malware products, can also be configured to log activities and events for review. IT staff often need to manually enable this type of logging, and it can add value to operations.
Due to the nature of IT systems, logs can quickly become unmanageable in length. As a result, a district should determine the key activities or critical IT events and areas to log and monitor, such as those affecting security, availability, and appropriate use of its computer systems and other resources. Once the district has identified data classifications, such as sensitive data, and what IT activities and events it is most concerned about, such as unauthorized users accessing the network, it should log and monitor these events and follow up when something occurs that requires attention. The district should review these logs on a regular basis (i.e., daily, weekly, or monthly) depending on the district’s specific needs to ensure appropriate actions are taken to resolve issues identified. Some organizations find it useful to develop or acquire software to help them to correlate, monitor, alert, and report on the events they decide to log.
IT should generally be responsible for logging and monitoring efforts; however, it is also important for decision-makers and system managers to be accountable for identifying those key activities that should be monitored, such as activities that do not have a compensating control elsewhere or that pose a separation of duties issue. System managers should also monitor logged activity reports to help ensure that activities are appropriate and follow up and remediate any questionable activities if necessary.
13. What are the steps a school district should take to help adequately secure its network and data?
To help protect both their physical and digital assets from malicious threats and inappropriate use, a district should compare its existing network and data (IT security) policies and procedures to industry standards and best practices (See FAQ #3) to ensure appropriate controls are in place.
For instance, the district should:
IT is responsible for ensuring the network is secure and adequately protected from unauthorized access.
14. Why should a school district follow a password policy that requires strong passwords, screen locks, repeated failed sign-on attempt lockouts, and prohibited sharing of user IDs and passwords along with more modern controls to authenticate user identities?
A district should follow a password policy that secures sensitive information and ensures proper user authentication to help protect its systems and data. Strong password policies help mitigate the risk of serious security threats such as data breaches and unauthorized access.
There are many resources available to districts for developing and following a password policy. A few possible resources are below.
The Arizona Department of Homeland Security (AZDOHS) provides policies, standards, and templates regarding IT policies on their website. AZDOHS established these policies for Arizona State agencies, and a district could adapt them for its own needs. The following AZDOHS policies and templates include information concerning the identification and authentication of users, as well as access controls:
A password policy could include, but is not limited to, the following topics:
Districts may also refer to the following credible sources for information and recommendations related to password policies:
15. What benefits do network directory services, such as Active Directory in Windows, Open Directory in Apple’s Mac OS, or Red Hat Directory for some Linux implementations, offer a school district?
Network directory services provide a shared infrastructure and often a central information repository that a district can use to help locate, manage, administer, and organize network resources, such as users, groups, devices, and storage volumes. These services also provide capabilities to set and manage policies that apply to these resources. For example, use of directory services would allow a district to set and manage policies that govern what district users and workstations can and cannot do and what resources they can and cannot access. Changes to the workstation policies would be automatically applied to all of the district’s workstations instead of requiring IT personnel to make changes to each computer manually. Properly configured, this would help ensure that no computer on the network would be running outdated policies.
IT is responsible for ensuring appropriate user account management on the network.
16.Why should a school district use a newer operating system?
Newer operating systems often have increased security features, as newer security technologies and approaches are generally incorporated and implemented in them. These security features can range anywhere from better reporting of problems to new technologies that increase the system level of security. Newer operating systems are also more likely to be patched against known security issues, so it will be harder for malicious users to break into the system using techniques to which older operating systems were vulnerable.
Despite the benefits of newer operating systems, the district should fully test any upgrades, like any other software installation. The district should ensure that the newer operating systems will function properly with any software in use and will integrate well with the network. Should the district find any incompatibilities, these should be resolved before implementing any new operating system into its live environment.
Regardless of the upgrade frequency a district chooses, it is important to ensure the vendor actively supports the operating system in use so it can continue to receive security fixes for known vulnerabilities or bugs. The district should plan to replace any operating systems or software that may be close to the end of its useful life or no longer eligible for support from its vendor.
IT is responsible for ensuring appropriate operating system use within the district. This includes IT updating decision-makers and system managers when operating systems may be approaching end-of-life so that they can consider any budget requests.
17. What should a school district consider before instituting a Bring Your Own Device (BYOD) practice, allowing use of social media/networking, wireless networks, or remote access?
Decision-makers, system managers, HR, and IT should discuss the potential implications involved with social media, wireless and remote access, and personal devices. Following a district-wide determination of appropriate technologies, IT will typically develop the related policies and submit them to decision-makers for review.
Like any change in practice, before a district adopts a new IT practice, it should consider the security risks that any related technology introduces, ways to help mitigate those risks, and what policies will be needed to guide the use of these technologies before adopting or permitting the use of any new technology. A few examples of risks to consider for BYOD, social media, wireless, and remote access are listed below.
BYOD
Social media
Wireless
Remote access to systems and resources from locations outside the district
18. Why are technology user and third-party vendor agreements important?
Technology User Agreements (sometimes called Electronic Information System Agreements or Acceptable Use Agreements) help the district ensure that all district staff and students are informed of district policies regarding technology resources and of the appropriate behavior when using those resources. User agreements provide the district with a record of when users agreed to policies so it can properly enforce technology policies.
In addition, a district’s cloud computing, digital learning, and vendor contracts or data-sharing agreements should have appropriate security/access, processing, and backup controls in place. The District should appropriately review data accessed or processed by vendors or third parties for propriety. Further, a district should have written agreements that include an acknowledgement that service providers are responsible for the security of confidential data the service provider possesses.
Typically, IT will develop appropriate user agreements and submit them to decision-makers for approval. After approval, it is the IT department’s responsibility to enforce the user agreement policy.
19. When should a district implement multifactor authentication controls for accessing its IT systems?
At a minimum, a district should implement multifactor authentication or compensating controls for all users with remote access, administrative access, and access to its critical IT systems (i.e., systems that contain sensitive information or that are necessary for district safety, mission, business, or security operations) to help protect those systems and sensitive information contained within them. Multifactor authentication uses more than 1 of the following factors to gain access to an IT system:
Recently, the Cybersecurity & Infrastructure Security Agency (CISA) updated its Bad Practices Catalog to include the practice of “Single-Factor Authentication for remote or administrative access” to critical systems. This practice is a security risk, and addressing it will help protect systems against cyberattacks. The National Institute of Standards and Technology (NIST) and the Arizona Department of Homeland Security (AZDOHS) made similar updates to their authentication configuration guidance. The related NIST special publications and AZDOHS policies and procedures, which are based on NIST’s guidelines, are available at:
Districts should conduct a risk assessment to determine appropriate changes to authentication configurations. The risk assessment should help identify any systems that may need additional authentication controls; determine if those systems can implement additional authentication controls; and if not, determine what compensating controls may help limit access to critical systems and sensitive information to only those individuals who need it for their job responsibilities.
Districts may also refer to the following credible resources for viewpoints on single-factor and multifactor authentication.
20. Where can I find information about Arizona’s data-breach laws?
The Arizona Attorney General’s website at Arizona’s Data-Breach Notification Law FAQ | Arizona Attorney General (azag.gov) has information regarding data-breach laws covered in Arizona Revised Statutes §§18-551 and 18-552.
Copyright (c) 2022 Arizona Auditor General