skip to main content

HCPSS / POLICIES

Policy 3040 – Technology Security

The purpose of this policy is to provide requirements for maintaining the confidentiality, integrity, availability, and accountability of HCPSS technology resources and data. The policy will address protection of HCPSS technology, account credentials, technology equipment accountability, network security, physical security, configuration management, and data security.

Policy Document

I. Policy Value Statement

The Board of Education of Howard County (Board) recognizes the value of technology security throughout the Howard County Public School System (HCPSS). The Board values the need for a clear and consistent technology security policy, in compliance with legal and regulatory mandates, that promotes awareness and communicates expectations for safeguarding and securing HCPSS technology.

II. Purpose

The purpose of this policy is to provide requirements for maintaining the confidentiality, integrity, availability, and accountability of HCPSS technology resources and data. The policy will address protection of HCPSS technology, account credentials, technology equipment accountability, network security, physical security, configuration management, and data security.

III. Standards

  1. Protection of HCPSS Technology

    1. HCPSS reserves the right to take all necessary legal action to protect the confidentiality, integrity, availability, and accountability of its technology.

    2. HCPSS reserves the right to take all necessary legal action to prevent its technology from being used to attack, damage, harm, or exploit others.

    3. Use of HCPSS technology or non-HCPSS technology to gain or attempt to gain unauthorized access to any HCPSS system or information is prohibited.

    4. Use of HCPSS technology to gain or attempt to gain unauthorized access to any non-HCPSS system or information is prohibited.

    5. HCPSS reserves the right, in accordance with legal and regulatory mandates, to monitor, archive, audit, or purge the contents of electronic communications, files, and other material created or stored using HCPSS technology, or data transmitted over HCPSS networks.

    6. HCPSS reserves the right, in accordance with legal and regulatory mandates and as authorized by the Superintendent/designee, to access or disclose, for investigative purposes, the contents of electronic communications, files, and other material created or stored using HCPSS technology or data transmitted over HCPSS networks.

    7. Failure by any individual using HCPSS technology to comply with this policy will result in the temporary or permanent restriction of technology access privileges, in addition to any applicable disciplinary actions or financial obligations.

    8. HCPSS will maintain technology security incident response procedures in support of this policy and regulatory mandates including Maryland breach notification requirements.

  2. Account Credentials

    1. Individuals using HCPSS technology will authenticate using individual account credentials. Exceptions will be approved by the Superintendent/designee and documented.

    2. Individuals are prohibited from sharing HCPSS-assigned account credentials unless permitted, in writing, by the Superintendent/designee.

    3. Individuals are granted access to HCPSS data and online resources based on a least privilege methodology.

    4. Access to HCPSS technology, granted by virtue of the individual’s role, will be terminated when the individual’s role is fulfilled or terminated.

    5. Individuals may be required to use multi-factor or other enhanced authentication methods to access HCPSS systems.

    6. Access to service accounts and other non-user accounts will be restricted to only designated HCPSS employees, and these credentials will be stored securely with limited access.

  3. Technology Equipment Accountability

    1. All HCPSS technology equipment will be accounted for and tracked by location and functionality in an automated system before distribution.

    2. HCPSS technology equipment will be audited periodically to ensure consistency and accuracy of the automated inventory system.

    3. All HCPSS technology equipment must be disposed of in accordance with the National Institute of Standards and Technology (NIST) published standards.

  4. Network Security

    1. All HCPSS technology networks will be designated as open or restricted.

      1. Restricted HCPSS technology networks will be configured to protect against unauthorized access.

      2. Individuals are prohibited from connecting non-HCPSS technology to restricted HCPSS networks without prior written approval from the Superintendent/designee.

      3. Individuals may connect non-HCPSS technology to open wireless HCPSS technology networks in accordance with Policy 8080 Responsible Use of Technology, Digital Tools, and Social Media.

    2. HCPSS will employ banner text, where practical, to provide notice of legal rights and responsibilities to individuals using HCPSS technology.

  5. Physical Security

    1. Physical access to HCPSS data centers, main distribution frames (MDFs), and intermediate distribution frames (IDFs) will be controlled to prevent and detect unauthorized access to these areas. Access to these areas will be granted to those persons who have legitimate responsibilities in those areas.

    2. All HCPSS data centers will be secured using technologies that monitor individual access and provide auditable access logs.

    3. Individuals responsible for HCPSS technology must take reasonable steps to ensure the physical security of HCPSS technology.

  6. Configuration Management

    1. HCPSS technology systems will be evaluated for appropriate security controls and approved by the Superintendent/designee.

    2. HCPSS technology systems will be monitored to confirm configuration and to determine the effectiveness of security controls.

    3. Changes to HCPSS technology systems will be evaluated, approved, and documented by the Superintendent/designee.

  7. Data Security

    1. Methods for transmitting and storing student education records, personnel records, or confidential data electronically will be reviewed and approved by the Superintendent/designee.

    2. Personally Identifiable Information (PII) will be secured and any unauthorized disclosures of PII will be document and provided to the Superintendent and the Board set forth by the guidelines in Policy 3050 Records Management and Policy 3060 Student Data Governance and Privacy.

IV. Responsibilities

  1. The Superintendent/designee will maintain guidelines for secure configuration of HCPSS technology.

  2. The Superintendent/designee will maintain a process for creating, managing, and documenting account credentials.

  3. The Superintendent/designee will inform HCPSS technology users regarding the provisions of this policy at least annually.

  4. The Superintendent/designee will provide to the Board annually, a report evaluating technology security policy implementation.

V. Delegation of Authority

The Superintendent is authorized to develop appropriate procedures for the implementation of this policy within the limits set forth by this policy.

VI. Definitions

Within the context of this policy, the following definitions apply:

  1. Account Credentials – Any data or object used specifically for the purpose of gaining access (authenticating) to an electronic system, usually a username and password combination.

  2. Authentication – Verification of an individual’s identity through username/password or other mechanism.

  3. Banner Text – The notification sent to a user prior to authentication on a system.

  4. Confidential Data – Individual, fact, statistic or item of information whereby access is restricted based on least privilege.

  5. Data Center – A dedicated area of a building that supplies the electrical necessities and environmental conditions required to operate servers, network technology, and other HCPSS electronic systems.

  6. Digital Tool – Any website, application (app), or software that requires an account.

  7. Intermediate Distribution Frame (IDF) – A non-primary distribution area for data cables from the main distribution frame.

  8. Least Privilege – The methodology whereby each user is assigned only the appropriate level of access to data needed for their responsibilities.

  9. Main Distribution Frame (MDF) – The primary distribution area for connecting HCPSS equipment to subscriber carrier equipment.

  10. Network – The physical means of transmitting data between computer systems; includes wired and wireless technologies.

  11. Online Resource – Any website, application (app), or software that does not require an account.

  12. Personally Identifiable Information (PII) – Any information that, alone or in combination, would make it possible to identify an individual with reasonable certainty.

  13. Technology – Electronic devices, network infrastructure, or applications including but not limited to software, online resources, digital tools, social media, and email.

VII. References

  • Electronic Communications Privacy Act/Stored Communications Act, 18 U.S.C. §2701-2712

  • Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232(g)

  • Title XVII, Children’s Internet Protection Act, 47 U.S.C. §254(h) and (l)

  • Md. Code Ann, Com. Law §§ 14-3501 et seq. (2016) (Maryland Personal Information Protection Act)

  • Md. Code Ann, State Govt. §§ 10-1301 to 10-1308 (2017) (Protection of Information by Government Agencies

  • Md. Code Ann, Education §4-131 (2015)

C. Relevant Data Sources

  • Central Inventory Database

  • Help Desk Database

  • Information Technology Audit Logs

D. Other

  • Data Center Access Procedures

  • HCPSS Device Agreement Form

  • HCPSS Student Code of Conduct

  • Information Technology Change Management Guideline

  • National Institute of Standards and Technology (NIST) Special Publication 800-88

  • Guidelines for Media Sanitization

  • Office of Security Management Maryland Minimum Cybersecurity Standards Version 1.0 Issued May 22, 2023

  • Request for Computer User Account Form

  • Technology Security Incident Handling Form

  • The State of Maryland (SOM) Information Technology Security Manual, Version 1.2 Issue June 2019

  • The State of Maryland Information Technology (IT) Disaster Recovery Guidelines, Version 4.0 Issued July 2006

VIII. History

ADOPTED: March 11, 2010

REVIEWED: January 27, 2023

MODIFIED:

  • May 12, 2022

  • January 11, 2024

REVISED:

  • May 9, 2013

  • June 9, 2016

EFFECTIVE: January 11, 2024

Policy History Key

  • Adopted-Original date the Board took action to approve a policy
  • Reviewed-The date the status of a policy was assessed by the Superintendent’s Standing Policy Group
  • Modified-The date the Board took action to alter a policy that based on the recommendation of the Superintendent/designee did not require a comprehensive examination
  • Revised-The date the Board took action on a that policy based on the recommendation of the Superintendent/designee needed a comprehensive examination
  • Effective-The date a policy is implemented throughout the HCPSS, typically July 1 following Board action.