TASB Risk Management Fund
INSIDERM

Cybersecurity Series, Part 1

January 01, 2017 Cristina R. Blanton

Security Default

writing a privacy policyWhat you need to know about cyber safety

It is a crime to access a school district’s computer or network without permission by the district.

Texas law states that it is a crime if a person accesses a computer, computer network, or computer system that is owned by the government (this includes school districts) or other entity in violation of a clear and conspicuous prohibition by the owner of the computer, network, or system. The intent of this provision is designed to target hackers who would break into a computer, system, or network to steal the information contained on the device and use the information to defraud, harm, alter, delete, or damage the property or information taken.

What you can do:

  • Be sure that your Acceptable Use Policy (AUP) is updated and includes clear information that explains the acceptable and unacceptable uses of the district’s computers, wireless network (if applicable), network system, or any other technology device. Clear language should be included in district employee and student manuals or the district website prohibiting unauthorized use or access of the district’s technology and systems. Information about your district’s AUP can be found at CQ(LEGAL) and (LOCAL). 
  • Consult your organization’s risk manager if you have one, as well as the director of technology, immediately when a suspected incident of unauthorized access has occurred. This can help the district determine if any professional resources are offered through the district’s coverage carrier to assist in responding to the concern. For TASB Risk Management Fund members, the school district’s risk manager should also contact the Fund as soon as possible.   
    • If unauthorized access does occur, or there is suspicion of such activity, the organization should immediately begin addressing the concern to minimize the risk of exposure and determine if the unauthorized access has reached sensitive data stored on the network or computer device. Doing this alone or with limited resources can create larger concerns for the district and increase the damage of the exposure. If sensitive information such as dates of birth, social security numbers, or other confidential information has been accessed, there are specific requirements under state law that mandate how and when the school should respond to such an event. This requirement alone necessitates quick response from the proper school staff and administration. 
  • We recommend having an independent audit of the system done by a computer forensics professional. This can ensure speedy recovery of any locked systems, detect where the intrusion came from, and provide unbiased reports on improving system security if necessary, including steps to implement to ensure reduction of future attacks.
  • It is always good practice to keep the school district’s local counsel in the loop from the beginning. Consultation with such individuals will guide the district in making important and timely decisions to address the incident and the decision to report the incident to local law enforcement.

Read part 2 (Secure passwords: It's not as easy as 1-2-3) and part 3 (Cyber awareness starts with a plan) of the series. For more information about the Fund’s Privacy Information & Security coverage and resources, visit the Fund website.

Tagged: "cyber security", cybersecurity, "Privacy and Information Security"