I. INTRODUCTION AND SCOPE II. DATA EXCHANGE III. ACCOUNTS AND PASSWORDS IV. EMAIL SECURITY V. DOWNLOADING/INSTALLING SOFTWARE VI. INTERNET USAGE VII. REPORTING SUSPICIOUS USAGE VIII. RESPONDING TO SUPSICIOUS ACTIVITY IX. NETWORK TRAFFIC SECURITY
This is the security policy for the IS department of the Knox County School System. The purpose of this policy is to set forth a list of rules and standards to ensure the safety of confidential information we maintain. This information includes but is not exclusive to student registration, student schedules, student grades, student attendance, student discipline, teacher registration data, payroll, human resources stored by payroll, and free/reduced lunch information..
The transmission of data in or out of the office occurs through phone, fax, email, paper, and disk. Sensitive data (that data we are to protect as described in the introduction) should only be transmitted through certain mediums under certain conditions. These are as follows: If the user is ever unsure of any of these conditions they should not send the data through that medium and should contact the Director of IS by calling (865) 594-1830.
Accounts as covered by this policy refer to the accounts used by users of the payroll server, the food services server, and the Star Student database and web servers. Users should only use accounts created for them (exception being administration using root, administrator, and database usernames). Only privileges needed by the user should be given to that user. No shell access should be granted to non-administration users. Routine checks should be made to ensure that all accounts on each server are still active and needed as well as the permissions for those accounts.
Passwords should NEVER be transmitted over the phone or by any other medium to any other person. Administration will only need the username of the person in question to perform support tasks. Passwords should NEVER for any reason be written and left somewhere accessable by anyone but the user.
As per the Accounts and Password policy, the user should never give a password out to anyone. As per the data exchange policy, sensitive data should only be sent through email from a ten-nash.ten.k12.tn.us email account to another ten-nash.ten.k12.tn.us email account when sure the person receiving the email is entitled to the data being sent. Exceptions to this policy will be considered on a situation to situation basis.
Email attachments should be considered carefully before opening them. Check the last 3 letters in the name of the email attachment to determine the type of the file. No email attachment should be opened if the filename ends with ".vbs". If the user is unsure of the type of attachment then contact the Director of IS by calling (865) 594-1830.
Any software to be downloaded and/or installed from the Internet should be considered carefully. The user should know the source of the software as well as the purpose of the software. Any and all files downloaded should be checked with an Anti-Virus software before and after installing/using the files. Any software that manipulates or uses network protocols should be pre-approved by the team leader or security administrator. If the user has any doubts or questions about a software package and/or it's source then that user should contact the Director of IS by calling (865) 594-1830 before downloading.
User's should use thier best judgement to the amount of time, the content, and when the internet is used. All of these should be in compliance with standard Knox County Schools policies. Beyond that it is your responsibility to be aware and avoid any activities that would cause sensitive information to be shared with those unauthorized from viewing it.
If a user becomes aware of a situation where this policy is being compromised or of a situation which could be a possible security risk, that user should contact the Director of IS by calling (865) 594-1830. Examples of such cases include but are not exclusive to a user that has not changed their default password, a user that has their username/password posted on their computer, an insecure exchange of sensitive data, a user that has received or sent a suspicious email attachment, or a user that had downloaded and installed an application that may be harmful to the network.
The SIS team leader and/or security administrator will respond as efficiently to the security risk as possible. Actions will be taken to resolve the problem and educate the user(s) in question to make sure the problem does not occur again. If the problem cannot be resolved in a timely manner then access and/or resources will be restricted or denied as deemed appropriate. Each case is unique and resolutions are at the sole discretion of the team leader and/or security administrator.
Network traffic is to be policed by multiple firewalls. The firewalls are to filter traffic to all servers we maintain. Only those servers known to need access to a server will be given access to a server. If you need access and do not have access you must first contact the SIS Team Leader or security administrator so they may verify and give access as needed.