Ravenna Public Schools Information Security Policy

1. Purpose

To safeguard the confidentiality, integrity, and availability of information systems and data within Ravenna Public Schools, ensuring compliance with applicable laws and regulations.

2. Scope

This policy applies to all employees, contractors, vendors, and third parties with access to Ravenna Public Schools’ information systems and data.

3. Governance and Oversight

• Information Security Officer (ISO): Appointed by the school board, responsible for overseeing the implementation and enforcement of this policy.

• Cybersecurity Advisory Committee: Comprises IT staff, administrative leaders, and legal counsel to review and update security measures regularly.

4. Compliance with Legal and Regulatory Requirements

Ravenna Public Schools shall comply with the following federal and state regulations:

• Family Educational Rights and Privacy Act (FERPA): Protects the privacy of student education records.

• Children’s Online Privacy Protection Act (COPPA): Imposes certain requirements on services directed to children under 13 years of age.

• Protection of Pupil Rights Amendment (PPRA): Governs the administration of surveys and the collection of data from students.

• Children’s Internet Protection Act (CIPA): Requires schools to implement internet safety policies and technology protection measures.

• Individuals with Disabilities Education Act (IDEA): Ensures that students with disabilities have access to appropriate educational services.

• State-Specific Legislation: Adherence to Michigan state laws and any applicable local regulations.

5. Cybersecurity Framework

The school district adopts the NIST Cybersecurity Framework (CSF) as a strategic model for managing cybersecurity risks. The CSF’s five core functions are:

• Identify: Develop an organizational understanding to manage cybersecurity risk.

• Protect: Implement safeguards to ensure delivery of critical infrastructure services.

• Detect: Develop and implement activities to identify the occurrence of a cybersecurity event.

• Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity event.

• Recover: Develop and implement activities to maintain plans for resilience and restore any capabilities or services impaired due to a cybersecurity event.

6. Data Protection and Privacy

• Data Classification: All data shall be classified based on sensitivity and handled accordingly.

• Encryption: Sensitive data shall be encrypted both in transit and at rest.

• Access Control: Access to data shall be granted based on the principle of least privilege.

• Third-Party Services: Contracts with third-party vendors shall include data protection clauses and ensure compliance with FERPA and other applicable laws.

7. Incident Response and Reporting

• Incident Response Plan: A documented plan shall be maintained to address cybersecurity incidents.

• Reporting: All incidents shall be reported promptly to the Information Security Officer and, if necessary, to appropriate authorities.

• Documentation: All incidents shall be documented, and lessons learned shall be used to improve future responses.

8. Training and Awareness

• Employee Training: All employees shall receive regular training on information security policies and practices.

• Student Awareness: Programs shall be implemented to educate students on safe and responsible use of technology.

• Vendor Training: Vendors with access to school data shall be required to undergo security awareness training.

9. Monitoring and Auditing

• Continuous Monitoring: Systems shall be continuously monitored for security threats and vulnerabilities.

• Audits: Regular audits shall be conducted to assess compliance with this policy and identify areas for improvement.

• Reporting: Audit results shall be reported to the Cybersecurity Advisory Committee and used to enhance security measures.

10. Policy Review and Updates

This policy shall be reviewed annually and updated as necessary to address emerging threats, changes in legal requirements, and technological advancements.

For further guidance and resources, Ravenna Public Schools may refer to the following:

• CISA’s K-12 Cybersecurity Resources

• CoSN’s NIST Cybersecurity Framework Resource Alignment for K-12

• Student Privacy Policy Office - Data Security: K-12 and Higher Education

These resources provide templates, best practices, and tools to assist in the development and implementation of information security policies tailored to K-12 educational institutions.