You are on page 1of 15

MCSD IT Plan Document Information

Title: MCSD IT Security Plan


Type: MCSD Procedural Plan
Audience: MCSD IT Employees and Management
Approval Authority: Assistant Superintendent for Technology & Personnel
Contact: mail to: baatsm!marlboroschools"org
Status:
Proposed: #anuary $%& '($(
Appro)ed: T*A

MARLBORO CENTRAL SCHOOL DISTRICT
Information Technology Security Plan








#anuary $%
th
& '($(
Table of Contents
Introduction"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +
Information Technology Security Safeguards""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ,
Physical Security""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -
Personnel Security""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -
Data Communications Security""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -
Phone System Security"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -
System Access Security"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .
/egal Safeguards""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" %
0et1or 2sage Policy""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 3
Ensuring System Integrity""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 3
Security 4erification""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5
Security /ogs"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5
Security 4erification Team""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $(
6andling 0on7compliance"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $(
Security A1areness and Training""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $$
Appendi8 A" 9indo1s Client for 0et1are Configuration 2tility
Settings"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $'
Appendi8 *" Standard 0o)ell 0et1are ."- : Security
Settings"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $'
Appendi8 C" Standard ;ire1all <;=>TI?ATE7+$(*:@
Settings"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $+
Appendi8 D" /ist of staff 1ho ha)e access
to the 0et1or =perations Center""""""""""""""""""""""""""""""""""""""""""""""""""""""" $,
Appendi8 E" Security 4erification Team""""""""""""""""""""""""""""""""""""""""""""" $,
'
Introduction
The Marlboro Central School District is referred to throughout this document as AMCSDB" The
obCecti)es of the MSCD IT Security Plan are the follo1ing:
AcDuaint employees 1ith the security procedures reDuired to ensure protection of
information technology systems at MCSD"
Clarify employee responsibilities and duties 1ith respect to the protection of information
resources"
Enable managers and other 1orers to mae decisions about information security 1hich
are in eeping 1ith standard policies and procedures& and 1hich are responsi)e to
pre)ailing local conditions"
Coordinate the efforts of different groups 1ithin MCSD so that information resources are
properly and consistently protected& regardless of their location& form& or supporting
technologies"
Pro)ide guidance for the performance of information system security audits and re)ie1s"
Demonstrate upper management support for a strong information security program at
MCSD"
Establish a basis for disciplinary actions 1hen reDuired to protect MCSD information
assets"

MCSD is taing appropriate steps to ensure its information systems are properly protected from
all security threats" All MCSD information systems shall be protected& regardless of storage or
transmission medium"

Three ey concepts form the bacbone of the security program at MCSD:
$" The DistrictEs commitment to protecting )ital and confidential electronic files"
'" All information access is granted consistent 1ith the staff technology acceptable
use policy and other applicable *oard of Education policies and administrati)e
regulations"
+" Information security is the responsibility of all computer system users"
All security procedures in this document are 1ritten 1ith these three concepts in mind"
MCSD Information Security Officer

Information Security Officer. The District maintains personnel 1ho ser)e as primary
Information Security =fficers" The Assistant Superintendent of Technology and Personnel ser)es
as the primary Information Technology Security =fficer" The Assistant Superintendent of
Technology and Personnel and the Technology Ser)ices Staff ser)e to implement and maintain
security of electronic information" The Assistant Superintendent of Technology and Personnel
+
and the 0et1or Administrator are responsible for assessing the security riss and e8ternal
threats& recommending actions to minimiFe those riss& and conducting program re)ie1s to
assess the adeDuacy of internal controls& structures& and business processes to protect school
information and technology resources"
The MCSD Information Security =fficer and 0et1or Administrator ha)e been assigned the
follo1ing responsibilities:
Maintain and )erify net1or and host security for all business systems"
De)elop and maintain formal security policies and procedures"
Maintain and )erify user ID and data set security databases"
Maintain and )erify 0o)ell 0et1are ."- : group and user ID security databases"
4erify and re)ie1 0et1or Share /e)el access rights"
4erify /ocal Area 0et1or s1itchGrouter security settings"
Collaborate 1ith =rangeG2lster *=CES and the Mid 6udson >egional Information
Center on information security planning and maintenance"
De)elop and maintain a formal security a1areness and training program"

Information Technology Security Safeguards
This security plan reDuires that good management practices be follo1ed to implement
information technology security safeguards based on the MCSD IT >is Assessment" The
follo1ing is a list of reDuirements for all information systems maintained at MCSD"
Physical Security
All net1or ser)ers shall be in a loced room or secured in a loced enclosure"
All net1or ser)er rooms shall ha)e C=
'
based fire e8tinguishers located 1ithin the
room" 0et1or Technicians shall be a1are of the location of the closest fire alarm" The
net1or ser)er room shall ha)e a smoe detector installed in the room"
The net1or ser)er room should be monitored for temperature and humidity"
All net1or ser)ers shall be run on an uninterruptible po1er supply<2PS@"
An access list of personnel that are appro)ed access to the ser)er room or /A0GPhone
closet shall be ept" A logging system shall be set up to document any )isitors to the
ser)er room or /A0GPhone closet not on the appro)ed access list" All )isitors to the
ser)er room or /A0GPhone closet shall be escorted at all times"
0o drining is allo1ed around computer eDuipment"
,
Sensiti)e information shall not be stored on portable computers that are taen outside of
secured areas"
Do not lea)e confidential information on dess after 1oring hours or in rooms that are
un7attended"
9hen dealing 1ith confidential information& ensure that no one is 1atching o)er your
shoulder" This precaution should also be taen 1hen typing in pass1ords"
Attended operation is reDuired 1hen printing confidential information to an unsecured
location"
Personnel Security
E8isting ;ederal& state la1& and regulations impose significant responsibilities on employees for
the security of information" Therefore& MCSD has instituted the follo1ing personnel security
measures:
Prospecti)e ne1 employees applying for positions 1hich ha)e access to sensiti)e data
1ill be screened as to their trust1orthiness in handling sensiti)e data"
All indi)iduals 1ith access to sensiti)e data must be familiar 1ith MCSD policies and
procedures relating to sensiti)e data"
Technical support personnel 1ill be cross7trained so that procedures can be follo1ed
unaffected by the absence of any one ey indi)idual"
Data Communications Security
A ;ire1all and Security Ser)ices <i"e"& ;ire1all@ shall be placed bet1een each organiFationEs
net1or and the MCSD 1ide area net1or <9A0@ 1hich pro)ides MCSD 1ith Internet access"
9here possible& indi)iduals shall use only encrypted means of access information across the
Internet" 9here this is not possible& indi)iduals shall not pass sensiti)e business information"
Encryption methods shall use at least 128 bit encryption keys"
Dial7in access to the MCSD net1or shall be strictly controlled" A list of all modems or other
connections connected to the MCSD net1or shall be ept" 0o eDuipment shall be connected to
the MCSD net1or 1ithout prior appro)al of the MCSD Security" The list of de)ices shall also
specify 1hich modemsGports are granted dial7in access" All dial7in and dial7out shall be
accomplished using the MCSD net1or ser)er 1hen a)ailable in order to ensure that all net1or
access is logged" All modems must be set to not ans1er until the ,
th
ring and should use dial7
bac )erification 1here possible"
Phone System Security
The phone system is meant primarily to handle the business needs of MCSD" To this end&
personal use of the MCSD phone system should not interfere 1ith the business operations of
MCSD" Also& MCSD should not be charged for long distance toll calls" Therefore under normal
circumstances 5(( numbers shall not be dial7able from MCSD phones"
-
System Access Security
Authentication
The identity of each indi)idual 1ho accesses business information must be )erified before gi)en
access to the information" This identification process is normally performed using the user
IDGpass1ord process" The user ID determines 1ho the user is claiming to be" The submission of
a correct pass1ord is taen to mean that the person is actually 1ho the user ID claims them to be"
2se of shared user IDEs shall be limited to 1orstations allo1ing only single function use
<such as 1orstations secured so that they can only be used to bro1se the 1eb@"
All users shall be forced to change their pass1ords e)ery $3( days"
MCSD Systems shall be set to loc out further logon attempts for at least - minutes after
- failed attempts ha)e occurred"
A notice of last logon time and date is recorded"
Pa!or" Policy
Pass1ords are generally obtained by , common methods" Therefore& MCSD reDuires that all
pass1ords ha)e , characteristics that ensure they 1ill not be found using one of the , common
methods" All pass1ords used at MCSD must be:
/ong 7 <Minimum . characters@ to th1art brute force attacs
0on7English H i"e"& not in an English dictionary to th1art dictionary attacs& therefore
MCSD reDuires that all pass1ords ha)e at least one non7alphabetic character in the
pass1ord
2n7guess7able H not obtainable from information no1n about the person" This
characteristic eeps an attacer from guessing the pass1ord"
Memorable H allo1s the user to remember the pass1ord 1ithout 1riting it do1n" This
characteristic ensures an attacer 1ill not find a 1ritten do1n pass1ord"
In addition to the , characteristics of indi)idual pass1ords& to maintain good security indi)idual
pass1ords should not ha)e any relationship to other pass1ords in use" That 1ay if an attacer
obtains one pass1ord& they 1ill not be able to gain access to other pass1ords maintained by the
same person" Pass1ords should not be accessible by anyone e8cept by the o1ner of the
pass1ord" Pass1ords should be changed regularly"
Pass1ords should not be cyclical" 9hen a pass1ord e8pires& do not name the ne1
pass1ord as an identifiable iteration of the last pass1ord <i"e& pass$& pass'& pass+& etc"@
Pass1ords used in the business should not be used on systems outside the business
Do not share pass1ords 1ith others"
Pass1ords must not be stored in readable form in batch files or other locations unless
sufficient security precautions are taen to ensure the security of the pass1ord"
.
All )endor default pass1ords must be changed upon system installation"
If a suspected disclosure of pass1ords has occurred& all in)ol)ed pass1ords shall be
immediately changed"
Proof of identity is reDuired to obtain a reset pass1ord"
All users 1ill be forced to change their pass1ords at least e)ery 5( days or their accounts
1ill be automatically disabled"
0e1 pass1ords 1ill be issued in a state that reDuires immediately changing the first time
the user logs on"
Data Claification
All sensiti)e information shall be labeled either IconfidentialJ or Iinternal use onlyJ in the
document containing the sensiti)e information" At least once per Duarter& the MCSD Security
Engineer 1ill search the MCSD net1or to ensure that confidential and internal use only
documents are not accessible to the general public"
All personal data shall be treated as confidential information"
All storage medium shall be classified to highest le)el of information they may contain"
All storage medium must be destroyed or securely 1iped before disposal
Acce Right
=nce a user is authenticated& they are only gi)en access to information necessary to complete
their Cob function" All data shall be controlled to limit access to indi)iduals 1ho need access to
the information"
Dormant user IDs shall be remo)ed e)ery $' months"
A list of access rights to net1or resources shall be generated and re)ie1ed by
management yearly"
Legal Safeguards
Licening
MCSD must ha)e documentation pro)ing compliance 1ith soft1are license agreements"
If an end user loads personal soft1are on their PC& they must pro)ide the MCSD help
des 1ith a copy of soft1are license and proof of purchase or a statement saying that the
user has in their possession a legal license for this soft1are"
MCSD is committed to obeying intellectual property la1s such as the 2"S" copyright la1
as it relates to electronic information and copyrights"
The MCSD security officer 1ill perform a periodic re)ie1 of soft1are licensing to
ensure that MCSD is in compliance its soft1are license agreements"
Pri#acy
%
MCSD shall attempt to ensure pri)acy of communications o)er its telephone and data
net1ors" 6o1e)er& it should be noted that messages sent o)er MCSD internal electronic
mail systems are not subCect to the pri)acy pro)isions of the Electronic and
Communications Pri)acy Act of $53.& and therefore may legally be read by MCSD
management and system administrators if deemed necessary to meet business
reDuirements"
All MCSD information systems& consisting of the eDuipment and information stored in
MCSD information systems& are considered MCSDEs property and as such may accessed&
mo)ed& read& etc" as needed to meet MCSD business reDuirements"
Statistical information deri)ed from business information systems may be disclosed to
parties outside the business only if the indi)iduals can not be identified by the
information released"
Legal Diclaimer
/egal disclaimer shall be placed on all net1or access points" Disclaimers shall be set up as a
logon banner upon net1or logon and as a lin at the bottom of all MCSD 1eb pages"
Logon Banner$
A*y using this computer& you implicitly agree to the terms of the MCSD Information Technology
Acceptable 2se Policy A
%e& Diclaimer
AInformation may be posted and maintained on Indi)idual sites by MCSD personnel <KIndi)idual
AuthorsK@" MCSD 1ishes to allo1 its users the greatest possible freedom to use these resources
creati)ely and responsibly" 6o1e)er& technology ser)ices taes steps to screen& )erify& edit&
monitor or censor information posted by Indi)idual Authors 1hen content is not aligned to
MCSD goals and obCecti)es" Indi)idual Authors and third parties outside MCSD are solely
responsible for the content and organiFation of information posted by them& e)en if such
information is accessed through the MCSD 9orld 9ide 9eb site" Should any MCSD 9orld
9ide 9eb site user disco)er something out of date or in conflict 1ith MCSDEs security policy or
;ederal or State la1& please feel contact the Assistant Superintendent for Technology and
Personnel"
Network Usage Policy
Any program ad)ersely affecting MCSD information systems may be remo)ed at the
discretion of the MCSD Security Engineer" Programs may be considered to ad)ersely
affect MCSD information systems by consuming e8cessi)e processor time& dis space&
processor memory& or net1or band1idth"
Personal use of the MCSD net1or must not interfere 1ith normal business acti)ities" It
must not in)ol)e solicitations or be associated 1ith any for7profit outside business
acti)ity"
>efer to District AStaff Acceptable 2se Policy"B
3
Ensuring System Integrity
'iru Protection
It is the responsibility of each indi)idual to scan their documents for )iruses before
sharing them 1ith other people& both inside and outside of MCSD"
A )irus protection system shall be set up to automatically update all business )irus
scanners as ne1 )irus images are released"
It is the responsibility of each indi)idual to immediately notify the MCSD help des
upon finding a )irus"
All fire1alls used at MCSD shall filter out incoming Acti)eL and #a)a control )iruses at
fire1all"
The )irus protection system implemented at MCSD shall scan attached files 1hile in the
MS E8change inbo8"
The )irus protection system shall scan files immediately upon their being sa)ing to a file
ser)er or 1orstation"
Re"un"ancy an" Ta(e Bac)u( **
All business data shall be stored in at least t1o separate locations"
9here possible& the MCSD net1or shall be set up to limit the number of single points
of failure in the system"
Monthly full tape bacup sets shall be stored for a minimum of si8 months"
As ser)er dis become full 1ith archi)ed data& migration of the archi)ed data to a
Storage Area 0et1or <SA0@ dis shall occur" T1o copies of the archi)al dis shall be
made" =ne copy shall be gi)en to information o1ner and one copy shall be ept in safe
under IT staff control"
** See Disaster Recover Plan for more detail.
Security Verification
Security Logs
All actions relati)e to system security must be accountable" Therefore MCSD information
systems shall meet the follo1ing reDuirements:
System security logs shall list logon and logoff times and all other rele)ant security
e)ents in order to support security audits"
System security logging shall be balanced to insure logging of rele)ant security
information 1hile limiting the gro1th of the security log to a manageable siFe"
All e)ent logs must be stored for a minimum of , 1ees"
5
A method of automatic cloc synchroniFation shall be set up on the MCSD net1or in
order to insure accurate time information in the security logs"
All security related logs shall be re)ie1ed on a consistent basis to ensure that MCSD
security is not being compromised"
Administrators shall not ha)e rights to clear or alter security logs in order to insure that
the MCSD Security Engineer has accurate security information in the security log
Security Verification eam
A security team shall be set up to test the security of the net1or using no1n techniDues used
by people 1ho try to gain access to net1ors" This security team shall be identified in 1riting to
the Central =ffice 1hen testing of the MCSD net1or is about to tae place" 0o testing of
net1or security 1ill tae place 1ithout the authoriFation from Central =ffice" 2pon completion
of the security testing& full documentation as to the methods used and the results of the test shall
be deli)ered to the Central =ffice"
Handling Non-compliance
Information Security Incident Management:
a. Definition" An information security incident includes& but is not limited to& one of the
follo1ing e)ents:
Attempts <either failed or successful@ to gain unauthoriFed access to a system or its data
2n1anted disruption or denial of ser)ice
The unauthoriFed use of a system for the processing or storage of data
Changes to system hard1are& firm1are& or soft1are characteristics 1ithout the o1nerMs
no1ledge& instruction& or consent
2nauthoriFed disclosure of regulated or confidential information
b. Notification" Information technology employees must immediately notify their super)isor or
director upon disco)ery of a possible or actual information security incident" Employees 1ill
immediately notify the Assistant Superintendent for TechnologyGPersonnel if their super)isor or
director is una)ailable"
c. Reporting" >esponsible information technology staff 1ill initiate timely correcti)e action&
document the incident and record lessons learned to pre)ent similar incidents from occurring in
$(
the future" The Technology Ser)ices Staff retain documentation related to all information
security incidents"
d. Eceptions. If indi)iduals belie)e they ha)e a circumstance that reDuires eception to the
MCSD IT Security Plan& upon agreement 1ith the MCSD Information Security =fficer they 1ill
be allo1ed access or a temporary o)erride account" The MCSD Information Security =fficer
and Technology Ser)ices staff 1ill pro)ide ongoing monitoring of such instances"
!t is mandatory t"at all employees of #$SD report all s%spected sec%rity incidents to t"e #$SD
!nformation Sec%rity &fficer" They may do so by calling the MCSD help des or calling the
MCSD Information Security =fficer directly" All reported security incidents must be
in)estigated"
Security Aareness and Training
All indi)iduals in)ol)ed in the management& operation& programming& maintenance or use of
information technology must be a1are of their security responsibilities and no1 ho1 to fulfill
them" To this end MCSD has set up the MCSD Security A1areness and Training program" All
indi)iduals in)ol)ed 1ith information technology at MCSD shall recei)e an information
technology security a1areness briefing or be pro)ided 1ith appropriate information" In addition&
employees 1ill be pro)ided 1ith refresher a1areness material or briefings as needed"
Indi)iduals assigned responsibilities for information technology security shall be pro)ided 1ith
in7depth training regarding security techniDues& methodologies for e)aluating threats and
)ulnerabilities that affect specific information technology systems and applications and selection
and implementation of controls and safeguards"
The MCSD Information Security =fficer shall be responsible for documenting and maintaining
security training records"
$$
Appendi! A" #ocal $indos Client for Netare Configuration %tility
Settings
2se the follo1ing procedure to ensure security of 9indo1s 1orstations"
/ocal Security at each 1orstation:
>estrict the A>unB section of the registry" This prohibits the intrusion of spy1are&
mal1are& and other malicious programs that reDuire utiliFation of this resource to operate"
>estrictions are in place for the follo1ing 1orstation components: My computer&
net1or places& control panel& screen sa)ers& bacground settings& and destop"
Appendi! &" Standard No'ell Netare (")* Security Settings
Stan"ar" +rou( mem&erhi(
Right to file an" "irectorie
Right to (rinter
Right to the regitry
Account Policie
Right lite" &y ,er an" +rou(
Trut relationhi(
$'
Au"it Setting for Account- .ile- Printer- an" the Regitry
E#ent log etting
The No#ell Client ue /01
Appendi! C" +ireall ,olicy
The Marlboro Central School District is protected by the ;ortigate7+$(*N ;ire1all" The same
fire1all used by =rangeG2lster *=CES for net1or monitoring and protection of the *=CES
net1or"
This de)ice allo1s MCSD the access and protection it needs 1hile utiliFing ser)ices such as
9eb access& file transfer protocols <ftp@& 4P0 access and remote administration" The fire1all
also blocs and logs intruder attempts to gain access to the MCSD net1or"
More specific information is listed belo1 or go to http:GG111"fortinet"comG
>anging from the ;orti?ate7+( series for small offices to the ;orti?ate7-((( series for large
enterprises& ser)ice pro)iders and carriers& the ;orti?ate line combines the ;orti=S: security
operating system 1ith ;ortiASIC processors and other hard1are to pro)ide a comprehensi)e and
high7performance array of security and net1oring functions including:
;ire1all& 4P0& and Traffic Shaping
Intrusion Pre)ention System <IPS@
Anti)irusGAntispy1areGAntimal1are
9eb ;iltering
Antispam
Application Control <e"g"& IM and P'P@
4oIP Support <6"+'+" and SCCP@
$+
/ayer 'G+ routing
Multiple 9A0 interface options
;orti?ate appliances pro)ide cost7effecti)e& comprehensi)e protection against net1or& content&
and application7le)el threats 7 including comple8 attacs fa)ored by cybercriminals 7 1ithout
degrading net1or a)ailability and uptime" ;orti?ate platforms incorporate sophisticated
net1oring features& such as high a)ailability <acti)eGacti)e& acti)eGpassi)e@ for ma8imum
net1or uptime& and )irtual domain <4D=M@ capabilities to separate )arious net1ors reDuiring
different security policies"
Appendi! D" #ist of Staff ho ha'e access to the Netor- Operations
Center"
&a-atsias. Michael Asst" Supt" +or Technology / ,ersonnel
Dalia. +ranco District Computer ,rogrammer
Indelicato. 0oel District Netor- Specialist
1ulaga. Susan +ield Ser'ice Technician
,ollman. $erner Operations / Maintenance
Sal2ano. 3o4ert Operations / Maintenance
Taddeo. 5erri Student Data Specialist
$heeler. 3ic- Netor- Administrator
Appendi! 6" Security Verification Team
&a-atsias. Michael Asst" Supt" +or Technology / ,ersonnel
1ulaga. Susan +ield Ser'ice Technician
$,
$heeler. 3ic- Netor- Administrator
0ac-e. 0edd Orange7%lster &OC6S 89)":8;"9<(< e!t" ;=:;>
,ayne. ,hilip Orange7%lster &OC6S 89)":8;"9<(< e!t" ;=:>;
$-

You might also like