The following terminology is used throughout the Information Technology (IT) FAQs below. As needed, a brief note on roles and responsibilities has been added in italics to the end of each answer to help describe the different departments and employees that should be involved in establishing and maintaining the related IT policies and procedures.
IT–IT department personnel within the school district responsible for managing the district’s hardware, software, systems, and networks. IT personnel are generally led by a director who has the ultimate authority within their department. IT personnel who set and control user access rights within a system, commonly called system administrators, should not be end users on the systems they control. However, they should have the ability to assign system access for users based on guidance from the applicable system manager.
System manager–Generally a system’s highest supervisory-level user who communicates to IT the levels of user access to establish for all users of the system. For example, a business manager could be the system manager for the accounting system. As the system manager is a system user, the system manager should not have access to establish users’ roles and access in the system (see Information Technology above).
Human resources (HR)–Responsible for managing employee-related information regarding job roles, such as job transfers, promotions, or terminations.
Decision-makers–Those who have the authority over any given policy, process, or project within a school district and are accountable for the outcome. Generally, the governing board, superintendent, or other executive-level district administration.
1. Why should a school district restrict user access to least privilege necessary?
Restricting access to least privilege necessary is a concept where users are provided access to only the resources and data required to perform their jobs, but restricted from resources that are not necessary to their job function. This concept can be applied across many aspects of managing a school district, from restricting the physical key access to buildings to tightening the controls over IT systems.
Restricting access helps ensure unauthorized employees cannot manipulate data and that only those who need access to perform their job function can view sensitive data. For example, payroll clerks do not need to create purchase orders as a part of their job function, so under the concept of least privilege, they would not have access to create purchase orders.
Implementing least privilege necessary can be done through broad role-based access rights based on a particular job function for a group of employees, and through very specific rule-based access rights that restrict individual employee access to specific files and folders. A district should determine the most appropriate way to establish user access to help control IT systems and data.
Typically, system managers are responsible for deciding and approving appropriate access, but it is IT’s role to actually set up the users’ access and ensure the system enforces the appropriate access levels. The system manager should not have the actual capability within the IT system to grant users access.
2. What role should IT and HR have in managing computer systems and network access?
Managing access to computer systems and networks is a critical component of establishing an effective internal control system. User accounts at a district may change frequently as new employees or contractors are employed, change job duties, or leave the district. When employment changes are made, IT and HR departments should work together to ensure all user accounts in the district systems are appropriate.
HR staff are generally responsible for maintaining employee information and are aware of new hires, terminated employees, job transfers, and other aspects of employment within the district. HR and IT should use this information to ensure employees’ system and network access levels are appropriate and critical systems and sensitive data are protected from unauthorized use.
The district should establish a process to ensure timely communication from HR to IT staff when there is an employee/contractor employment status change that requires revision in system access. IT should make all necessary user access changes in a timely manner, and the system manager should review them.
The system manager and any appropriate business office personnel, including HR, should work in conjunction with IT to ensure that access to critical systems and sensitive data is protected from unauthorized use.
3. Why should a school district have IT policies and procedures?
A district should develop IT policies and procedures to help protect its systems and data and to describe the appropriate use of its IT resources. These policies and procedures outline district processes and provide written guidance to employees to help ensure employee accountability when using the district’s IT resources. It is important to clearly communicate and disseminate all policies to district employees to ensure they understand and are aware of the district’s IT policies.
System managers should work in conjunction with IT to develop policies as needed. Decision-makers should be informed of those policies and procedures and approve their implementation, as well as making any key decisions necessary to facilitate the creation of the policies.
4. How can a school district review its current policies and procedures and determine what further policies and procedures are needed?
While most districts have some IT policies and procedures in place, those policies or procedures may not be comprehensive enough to cover all IT areas or may need to be more formally documented. A district should evaluate its current policies and procedures in comparison to IT standards and best practices (See FAQ #5), and identify any gaps that need to be addressed in its IT environment.
The following list of policy topics is not intended to be exhaustive, so a district may have additional policy needs. Only after evaluating current systems and processes will a district be able to determine exactly what policies and procedures it needs to help secure its IT resources.
Some policy topics a district should address include the following:
5. What resources are available to help provide guidance on IT best practices?
There are a number of resources available that the IT industry uses to help shape policies. Some of these resources include, but are not limited to, Control Objectives for Information and Related Technology (COBIT), National Institute of Standards and Technology (NIST), Federal Information System Controls Audit Manual (FISCAM), and the International Organization for Standardization (ISO).
Another resource available to districts is the set of policies and procedures set forth by the Arizona Strategic Enterprise Technology (ASET) Office within the Arizona Department of Administration. ASET established these policies for Arizona State agencies, but a district can easily adapt them for its own needs. It is important to note that a district should review these resources regularly because IT best practices can change rapidly. In addition, these IT resources should act as baselines for IT practices, but a district may need a higher level of control based on its specific circumstances.
Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) provides alerts, tips, and resources. For example, CISA’s Weak Security Controls and Practices Routinely Exploited for Initial Access alert discusses the weaknesses malicious cyber actors commonly exploit and best practices that entities can use to help strengthen their network security controls. CISA’s alert #StopRansomware: Vice Society, issued jointly with the Federal Bureau of Investigation and the Multi-State Information Sharing and Analysis Center (MS-ISAC), discusses ransomware attacks against the education sector and recommended mitigations techniques to reduce the risk of the cyber incidents.
IT should be responsible for knowledge and implementation of IT best practices within a school district.
6. What are the components of an IT Disaster Recovery Plan (DRP)?
It is important to note that IT Disaster Recovery Plans are just 1 part of a larger district-wide Business Continuity Plan. Business Continuity Plans encompass activities necessary to continue business operations during and after a disruption. As such, decision-makers should not only develop continuity plans for the main district functions, but also coordinate with IT to ensure business continuity and IT capabilities are matched.
Since a district uses technology systems to perform many business operations, it is critical to ensure that the IT systems are available and running effectively. IT Disaster Recovery Planning involves analyzing business functions and the IT systems, data, and resources necessary to support those business functions in case of emergencies or disasters and determining methods to restore full functionality. Such emergencies can include both natural disasters and human-error incidents.
The items necessary for each plan may vary by entity, but some basic DRP components include the following:
Typically, decision-makers should work in conjunction with the system managers, IT, and other appropriate district staff to determine appropriate key factors, such as acceptable downtime and criticality of systems and resources. These determinations will then enable IT to develop the Disaster Recovery Plan according to the agreed upon factors.
7. Why should Disaster Recovery Plans be tested and updated?
As hardware and software are updated and personnel changes occur, the current DRP plan may not work as intended. By testing the DRP plan regularly, the district can expose any issues that may arise during an actual emergency and, thereby, develop new procedures to ensure the DRP plan will work as needed in an emergency.
8. How should Disaster Recovery Plans be tested and updated?
There are many ways to test a DRP plan to give assurance about its effectiveness. DRP testing should include verifying that all plan participants fully understand their responsibilities in addition to testing the assumptions of the plan where possible. Testing could range from doing a table top exercise and discussing how the district should recover its operations to performing a more elaborate test of the plan including participants in a test scenario exercise.
It is common to have IT responsible for disaster recovery testing; however, system managers, other applicable district staff, and decision-makers should also be accountable for their specific roles within the plan related to testing the plan’s effectiveness.
9. How should disaster recovery tests be documented?
Disaster recovery testing documentation should describe how the district performed the tests, what the test results were, and any lessons learned from the test. If the tests did not identify any problems or gaps in the DRP, the district should document details of how the tests conducted showed that the plan worked. If the tests identified problems or gaps in the DRP, the district should document details of how the tests conducted showed that the DRP failed, why it failed, and how the district can remedy the issue(s). Maintaining these test records allow the district to track the changes of the disaster recovery plan to ensure, throughout its lifetime, that the plan still meets the original design intention.
It is typically IT’s responsibility to determine appropriate disaster recovery test documentation to illustrate the testing outcome and challenges; however, system managers and decision-makers should be informed of the test outcome.
10. Why is data classification important?
Data classification is a process to categorize data by its sensitivity. This categorization can be used to apply security standards and practices. A district should identify what data is important, sensitive, or critical, such as personally identifiable information (PII), or student data as defined by the Federal Education Rights and Privacy Act (FERPA). This allows the district to ensure it appropriately protects sensitive and confidential information.
Classifying data and restricting a user’s access based on the least privilege necessary are correlated, as unauthorized users should not have access to sensitive data, and authorized users should have only the access they need do their job. A district can use data classification in combination with assigning privileges to identify what data is appropriate for which positions and grant access to those employees (See FAQ #1 for additional information on least privilege).
It is common for IT to be responsible for establishing the controls that ensure the various classifications of data are adequately protected. IT should work with decision-makers to ensure that the controls in place for each data class accurately reflect the district’s needs for the data within that classification.
11. Why is logging and monitoring important, and what types of IT activities should a school district log and review?
Proper monitoring can help a district be proactive and address potential threats and other issues before harm occurs. Logging and monitoring are essential to ensuring the integrity of district data. Logging involves keeping a record of changes and actions related to the district’s network and computer systems. Monitoring involves timely reviewing of log activities that a district deems important to ensure actions being performed are appropriate.
Most accounting and student information systems, as well as their databases, have logging functionality built in, often enabled by default. On the IT infrastructure side, operating systems and network devices, such as firewalls, web filters, and anti-malware products, can also be configured to log activities and events for review. IT staff often need to manually enable this type of logging, but it can add value to operations.
Due to the nature of IT systems, logs can quickly become unmanageable in length. As a result, a district should determine the key activities or critical IT events and areas to log and monitor, such as those affecting security, availability, and appropriate use of its computer systems and other resources. Once the district has identified what data is sensitive and what actions it is most concerned about, such as unauthorized users accessing the network, it should log and monitor these events and follow up when something occurs that requires attention. The district should review these logs on a regular basis to ensure appropriate actions are taken to resolve issues identified. Some organizations find it useful to develop or acquire software to help them to correlate, monitor, alert, and report on the events they decide to log.
IT should generally be responsible for logging and monitoring efforts; however, it is also important for system managers to be accountable for identifying those key activities that should be monitored, such as activities that do not have a compensating control elsewhere or that pose a segregation of duties issue. System managers should also monitor logged activity reports to help ensure that activities are appropriate and follow up and remediate any questionable activities if necessary.
12. What are the steps a school district should take to help adequately secure its network and data?
To help protect both their physical and digital assets from malicious threats and inappropriate use, a district should compare its existing network and data policies and procedures to industry standards and best practices (See FAQ #5) to ensure appropriate controls are in place.
For instance, the district should:
IT is responsible for ensuring the network is secure and adequately protected from unauthorized access.
13. What benefits do network directory services, such as Active Directory in Windows, Open Directory in Apple’s Mac OS, or Red Hat Directory for some Linux implementations, offer a school district?
Network directory services provide a shared infrastructure and often a central information repository that a district can use to help locate, manage, administer, and organize network resources, such as users, groups, devices, and storage volumes. These services also provide capabilities to set and manage policies that apply to these resources. For example, use of directory services would allow a district to set and manage policies that govern what district users and workstations can and cannot do and what resources they can and cannot access. Changes to the workstation policies would be automatically applied to all of the district’s workstations, instead of requiring IT personnel to make changes to each computer manually. Properly configured, this would help ensure that no computer on the network would be running outdated policies.
IT is responsible for ensuring appropriate user account management on the network.
14. Why should a school district use a newer operating system?
Newer operating systems often have increased security features, as newer security technologies and approaches are generally incorporated and implemented in them. These security features can range anywhere from better reporting of problems to new technologies that increase the system level of security. Newer operating systems are also more likely to be patched against known security issues, so it will be harder for malicious users to break into the system using techniques to which older operating systems were vulnerable.
Despite the benefits of newer operating systems, the district should fully test any upgrades, like any other software installation. The district should ensure that the newer operating systems will function properly with any software in use and will integrate well with the network. Should the district find any incompatibilities, these should be resolved before implementing any new operating system into its live environment.
Regardless of the upgrade frequency a district chooses, it is important to ensure the vendor actively supports the operating system in use so it can continue to receive security fixes for known vulnerabilities or bugs. The district should plan to replace any operating systems or software that may be close to the end of its useful life or no longer eligible for support from its vendor.
IT is responsible for ensuring appropriate operating system use within the school district. This includes IT updating decision-makers when operating systems may be approaching end-of-life so that they can consider any budget requests.
15. What should a school district consider before instituting a Bring Your Own Device (BYOD) practice, allowing use of social media/networking, wireless networks, or remote access?
Decision-makers, system managers, HR, and IT should discuss the potential implications involved with social media, wireless and remote access, and personal devices. Following a district-wide determination of appropriate technologies, IT will typically develop the related policies and submit them to decision-makers for review.
Like any change in practice, before a district adopts a new IT practice, it should consider the security risks that any related technology introduces, ways to help mitigate those risks, and what policies will be needed to guide the use of these technologies before adopting or permitting the use of any new technology. A few examples of risks to consider for BYOD, social media, and wireless and remote access are listed below.
BYOD
Social Media
Wireless
Remote access to systems and resources from locations outside the district
16. Why are technology user agreements important?
Technology User Agreements (sometimes called Electronic Information System Agreements or Acceptable Use Agreements) help the district ensure that all district staff and students are informed of district policies regarding technology resources and of the appropriate behavior when using those resources. User Agreements provide the district with a record of when users agreed to policies so it can properly enforce technology policies.
Typically, IT will develop appropriate user agreements and submit them to decision-makers for approval. After approval, it is the IT department’s responsibility to enforce the user agreement policy.
17. When should a district implement multifactor authentication controls for accessing its IT systems?
At a minimum, a district should implement multifactor authentication or compensating controls for all users with remote or administrative access to its critical IT systems (i.e., systems that contain sensitive information or are necessary for district safety, mission, business, or security operations), to help protect those systems and sensitive information contained within them. Multifactor authentication uses more than 1 of the following factors to gain access to an IT system:
Recently, the Cybersecurity & Infrastructure Security Agency updated its Bad Practices Catalog to include the practice of “Single-Factor Authentication for remote or administrative access” to critical systems. This practice is a security risk and addressing it will help protect systems against cyberattacks. The National Institute of Standards and Technology (NIST) and the Arizona Department of Administration Strategic Enterprise Technology (ADOA-ASET) made similar updates to their authentication configuration guidance. The related NIST special publications and ADOA-ASET policies and procedures, which are based on NIST’s guidelines, are available at:
Districts should conduct a risk assessment to determine appropriate changes to authentication configurations. The risk assessment should help identify any systems that may need additional authentication controls, determine if those systems can implement additional authentication controls, and if not, determine what compensating controls may help limit access to critical systems and sensitive information to only those individuals who need it for their job responsibilities.
Districts may also refer to the following credible resources for viewpoints on single-factor and multifactor authentication.
18. Where can I find information about Arizona’s data-breach laws?
The Arizona Attorney General’s website at Arizona’s Data-Breach Notification Law FAQ | Arizona Attorney General (azag.gov) has information regarding data-breach laws covered in Arizona Revised Statutes §§18-551 and 18-552.
Copyright (c) 2022 Arizona Auditor General