ACTION, TO SHARE

LOS ANGELES UNIFIED SCHOOL DISTRICT

Office of the Chief Information Officer

DISTRIBUTION: All Schools and Offices ROUTING

Local District Superintendents
SUBJECT: BULLETIN NO. K-32 Secondary Principals
HANDLING OF ENCRYPTED CDs

DATE: February 4, 2003

DIVISION: Information Technology

APPROVED: MARGARET A. KLEE, Chief Information Officer

For further information, please call Patrick Luce, Coordinator, Network Security, (213) 241-1343 or
email patrick.luce@lausd.net.

I. INTRODUCTION

Information Technology Division (ITD) recently implemented a technology to digitize student

cumulative records. This technology provides the District with the ability to eliminate paper-
based storage of cumulative record files. In the interest of improving service to schools, ITD is
in the process of collecting the cumulative record folders of students who have graduated from
high schools, and digitizing them for central storage. Compact Disks (CDs) with digital copies
of the records will then be returned to the schools. These CDs allow school personnel to search
for digitized student records, and print them from a desktop computer. This will significantly
improve schools’ ability to quickly retrieve student transcripts upon request.

Although this technology will dramatically reduce the administrative effort required to provide
student transcripts, it also has implications for the protection of those student records. A single
CD can contain up to one thousand student records. The District has a legal obligation to
protect student cumulative records from unauthorized access. Poor security procedures within a
school could result in the compromise of these student records.

II. ENCRYPTION

Each student record CD is “encrypted” in order to protect the data it contains. “Encryption” is
the process of scrambling data so that it is not recognizable unless the user has a “key” to
access the data. “Decryption” is the process of using a key to unscramble the data back into a
recognizable form.
BULLETIN NO. K-32 -2- Information Technology Division
February 4, 2003

Each student record CD has a key known only to personnel within ITD. The key will be
installed directly onto up to two workstations at a school by ITD. The CD will only be readable
on workstations designated by the school, with special software installed under the supervision
of ITD. However, if a CD is left inside a machine and the machine is accessed or taken by an
unauthorized party, that unauthorized party will have access to the student records located on
that CD.

Each CD is also protected with a password to be entered by school personnel. This is to guard
against casual access to student records in the event that the CD is left in a machine. However,
in the event the machine is accessed or taken by an unauthorized party, it provides little or no
protection of the student records on the CD. As such, all LAUSD employees are responsible
for taking the appropriate steps, as outlined below, to secure student records distributed via
CDs to local schools.

III. POLICIES AND PROCEDURES

General

• All encrypted CDs may only be handled by employees (not students) of the District who have
read this policy and sign a formal agreement to follow all terms of this policy (Attachment A).
All agreement statements must be kept on file at the school site.
• Unauthorized personnel may not handle the CDs or access them at any time for any reason.
• Non-LAUSD employees may not handle the CDs or access them at any time for any reason.
• All encrypted CDs must be stored in a locked drawer or file cabinet when not in use. The CDs
must be stored separately from the workstation(s) from which they may be accessed.
• All workstations with decryption software installed must be in a location secure from public
access. The workstations must also be in a room or office that is locked after business hours.
• All student data CDs have a password that protects against casual access. This password must
be stored in a separate location from both the student CDs and the workstation(s) from which
the student CDs are accessed.
• In the event that an encrypted CD is lost or stolen, notify the Network Security Branch of ITD
immediately at (213) 241-1343. The remaining CDs at the school may be confiscated and re-
issued with new encryption keys at the discretion of ITD Security. If the school is re-keyed, a
new copy of the decryption software will be loaded on designated workstations at the school
by ITD representatives.
• In the event that a workstation used to access student data CDs is stolen, notify the Network
Security Branch of ITD immediately at the phone number shown above. The remaining CDs at
the school may be confiscated and re-issued with new encryption keys at the discretion of ITD
Security. If the school is re-keyed, a new copy of the decryption software will be loaded on
designated workstations at the school by ITD representatives.

###
 LOS ANGELES UNIFIED SCHOOL DISTRICT
Information Technology Division

BULLETIN NO. K-32 ATTACHMENT A

February 4, 2003

Employee Statement for the Use of Encrypted CDs Containing Student Records

I, _______________________________ (Print Name), recognize that the Los Angeles Unified

School District has a legal obligation to protect student records from unauthorized access. I
understand that, as an employee authorized to handle encrypted Compact Disks (CDs) that contain
student records, I must follow all procedures described in Bulletin K-32. I agree to follow all
policies and procedures pertaining to the handling of encrypted CDs containing student data as
outlined in Bulletin K-32, and any additional security policies as determined by the Principal of the
school.

In addition to the requirements for the handling of encrypted CDs, I understand that the information
contained on the CDs is subject to all other District policies and procedures that are in effect to
protect student confidentiality. I understand that improper disclosure of student information in any
form is prohibited by law, and that a disclosure resulting from my failure to comply with these
procedures may result in disciplinary action, including termination.

School Name:____________________________________________________________________

School Location Code:_____________________________________________________________

Employee Signature:________________________ Date:__________________________________

Principal Name:___________________________________________________________________

Principal
Signature:_________________________________Date:__________________________________

This document is for the internal use of the Los Angeles Unified School District (LAUSD)
Information Technology Division (ITD).