Policy Details Page
1. Data Governance
Tacoma Public Schools (TPS) values the trust of our students, staff, parents, and community, and is committed to safeguarding and managing the storage, use, sharing, and disposal of district data, records, and information.
Tacoma Public Schools' policies and procedures safeguard data from accidental or intentional unauthorized modification, destruction, or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment, software, and practices used to process, store, transmit, and dispose of data or information.
This regulation contains provisions for data security, the security of systems used to store, process and access district data, access controls, quality control, data exchange, and reporting to include external data requests and third-party data use.
The established standards, processes, and procedures outlined within this regulation apply to all entities accessing district data or systems, including students, staff, contractual third-parties such as vendors, community partners, agents of the district, and volunteers.
The terms data, records, and information are used separately, together, and interchangeably throughout the regulation. The intent is the same.
District data includes, but is not limited to:
• Speech, spoken face to face, or communicated by phone using any current or future technologies.
• Hard copy data either printed or hand-written.
• Communications sent by post/courier, fax, electronic mail, text, chat, or any form of social media.
• Data stored or processed by servers, PCs, laptops, tablets, or mobile devices.
• Data stored on any internal, external, or removable media or cloud-based service.
The district will abide by all laws, statutory, regulatory, or contractual obligations affecting the data systems. Tacoma Public Schools complies with all applicable regulatory acts including but not limited to the following:
• Children’s Internet Protection Act (CIPA)
• Children’s Online Privacy Protection Act (COPPA)
• Family Educational Rights and Privacy Act (FERPA
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)
• Protection of Pupil Rights Amendment (PPRA)
• Student User Privacy in Education Rights (SUPER)
• Washington Public Records Act (PRA)
This regulation does not create or expand entitlement to the confidentiality of records beyond that which is established by law or specific Board policy.
2. Roles and Responsibilities
Data Governance Committee
The Tacoma Public Schools Data Governance committee consists of the Chief Financial Officer, Assistant Superintendent - Human Resources, General Counsel, Assistant Superintendent - K-12 Support, and the Chief Information Officer. Other cabinet members or district staff will be called upon to attend meetings when the topic of the request requires his or her expertise. The committee will:
• Meet a minimum of one time per year. The membership may call additional meetings as needed.
• Annually review the district data governance policies and regulations.
• With the Board’s permission, modify information in the appendices in response to changing needs.
• Post all modifications to the Tacoma Public Schools website in the Policy and Regulation Manual.
• Be familiar with and practice the TPS Data Security policies.
• Know the basics regarding Information Security.
• Report security incidents (issues) and risks (potential problems) as detected.
• Act responsibly to ensure institutional data, information, or assets are protected and not exposed to loss, damage, or unauthorized use or duplication.
• Immediately report any loss or theft of data or equipment that contains confidential data.
Departments, Project Managers, and Service Owners:
• Be familiar with and follow TPS Data Security policies and associated risk management responsibilities.
• Ensure any projects or changes that impact information systems, or institutional data, have been reviewed by the Data Governance Committee to identify any associated risks to information security.
• When utilizing externally accessible information systems, initiate the Compliance Committee process for evaluation and selection.
• Remain accountable for information security decisions by treating, formally accepting, or removing information security risks under their control.
• Escalate security concerns to Technology Services (TS).
Authorized Requestors are responsible for knowledge of all policies, laws, rules, and best practices relative to the data for which they are granting access. These laws include FERPA, HIPAA, and other regulatory requirements.
Authorized Requestors are responsible for informing appropriate TS department personnel regarding data classification. The TS department will determine the best physical or logical controls available to protect the data. This shall include the following:
• Guidance regarding data to be classified as Class III
• Where that data resides (which software program(s) and servers)
• Who should have access to that data (Authorized Users)
• What level of control the Authorized User should have to that data (i.e., read-only, read/write, print)
• Notifying the Director, Data and Web Development, via email.
Technology Services Department
The Technology Services Department will implement, maintain, and monitor the network, computer systems, access controls, and physical security of the district data.
When granted rights, the Technology Services department, or the Authorized Requestor, will provide professional development and instructions for Authorized Users on correctly accessing data. The supervisor(s) of the Authorized User(s) and the Technology Services Department share the responsibility of providing user instruction.
The Compliance Committee will approve or deny requests for procurement of software, apps, websites, and hardware which utilize district data before purchase or implementation. Users may initiate a request for evaluation through the TPS Tech Toolbox portal. Access to the application is via the district website.
Data Request Committee
The Data Request Committee will review, approve, or deny all requests for both internal and external data requests that contain PII (see Appendix A, B, C and D).
The Tacoma Public Schools Data Request Committee consists of the Chief Financial Officer, Assistant Superintendent - Human Resources, Assistant Superintendent - K-12 Support, Chief Information Officer, Director – Data & Web Development, and the Director – DART, as well as a representative from the Legal department when necessary. Data requests will be reviewed as they are received. An online approval process will be established to streamline approvals as much as possible.
3. Data Classification and Management
District data falls into three primary classifications. Requests for changes to the established data sensitivity classification or individual permissions shall come from authorized requestors to the Chief Information Officer.
Class I – Public Use
Information targeted for public use. Examples include Internet website content for general viewing and press releases.
• Public information explicitly approved for public release by a designated authority within each entity of Tacoma Public Schools.
• Examples of Public Information may include marketing brochures and material posted to Tacoma Public School’s web pages.
Class II – Internal Use
Non-Sensitive information used internally. Examples include:
• Private information intended for unrestricted use within Tacoma Public Schools or affiliated organizations such as TPS business or community partners.
• This type of information can be distributed within Tacoma Public Schools and shared within the organization without advance permission from the information owner.
• Internal information may include personnel directories, internal policies and procedures, and most internal electronic mail messages.
• Any information not explicitly classified as PII, Sensitive, or Public will, by default, be classified as Internal information.
• Unauthorized disclosure of this information to outsiders may not be appropriate due to legal or contractual provisions.
Class III – Sensitive
Private information guarded against unauthorized disclosure. Unauthorized exposure of this information could contribute to identity theft, financial fraud, breach of contract, legal action, or violate state or federal laws.
Sensitive information includes:
• Personally Identifiable Information (PII) maintained by the district.
• PII used to distinguish or trace an individual’s identity, such as name, social security number, date, and place of birth, mother’s maiden name, or biometric records.
• Information linked or linkable to an individual, such as medical, educational, financial, and employment information.
Regulation No. 6300R
• Confidential and highly sensitive material not classified as PII. This information is private or otherwise sensitive and restricted to those with a legitimate business need for access.
• Examples of Sensitive information may include personnel information, critical financial information, proprietary information of commercial research sponsors, system access passwords, and information file encryption keys.
• Unauthorized disclosure of this information to people without a business need for access may violate laws and regulations or cause significant problems for Tacoma Public Schools, its staff, parents, students, contract employees, or business partners. The information owner, or Data Governance Committee, shall determine the provision of access to this information.
The Family Educational Rights and Privacy Act (FERPA), a Federal law, requires that Tacoma Public Schools, with certain exceptions, obtain guardian consent before the disclosure of personally identifiable information from a student’s education records.
Consent is implied; however, the guardian may complete the Request to Restrict Release of Information Form to limit disclosure of student data. The form is in the district Parent and Student Handbook. This form must be submitted each school year and returned to the student’s home school for processing.
Tacoma Public Schools may disclose appropriately designated “directory information” without written consent unless a guardian advised the district to the contrary following Tacoma Public School’s procedures. Tacoma Public Schools considers secondary student information as directory information. Elementary records and data are not included in directory information.
The primary purpose of directory information is to allow the district to include data from student education records in certain school publications. Examples include:
• A playbill, showing your student’s role in a drama production;
• The annual yearbook;
• Honor roll or other recognition lists;
• Graduation programs; and
• Sports activity sheets, such as for wrestling, showing weight and height of team members.
Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, may also be disclosed to outside organizations without a guardian’s prior written consent.
Outside organizations include, but are not limited to, companies that manufacture class rings or publish yearbooks. In addition, two federal laws require local educational agencies (LEAs) receiving assistance under the Elementary and Secondary Education Act of 1965, as amended (ESEA) to provide military recruiters, upon request, with the following information – names, addresses, and telephone listings – unless guardians have advised the LEA that they do not want their student’s information disclosed without their prior written consent. [Note: These laws are Section 9528 of the ESEA (20 U.S.C. § 7908) and 10 U.S.C. § 503(c).]
Tacoma Public Schools defines Directory information as follows:
• Student first and last name
• Student gender
• Student home address
• Student home telephone number
• Student school assigned monitored and filtered email address
• Student photograph
• Student place and date of birth
• Student dates of attendance (years)
• Student grade level
• Student diplomas, honors, awards received
• Student participation in school activities or school sports
• Student weight and height for members of school athletic teams
• Student most recent institution/school attended
• Student ID number
Unauthorized or improper disclosure, modification, or destruction of this information could violate state and federal laws, result in civil and criminal penalties, and cause severe legal implications for the Tacoma Public Schools.
Systems controlling access to PII, Sensitive information, Internal information, and computing resources may include, but are not limited to, the following methods:
Access will be granted on a “need to know” basis and shall be authorized by the superintendent, principal, immediate supervisor, or Data Request Committee with the assistance of the Chief Information Officer. On a case by case basis, permissions may be added to those already held by individual users, again on a need to know basis and only to fulfill specific job responsibilities.
Access to all systems that maintain or access PII, Sensitive information, or district information will require unique user identification (User ID) and authentication. Users will be held accountable for all actions performed on the system with their User ID. Personal user accounts and passwords shall remain private and cannot be shared.
Tacoma Public Schools implements safeguards to ensure all PII, Sensitive, and Internal information is not altered or destroyed in an unauthorized manner.
Class I data, directory information, and, in some cases, Class II data, may be transferred to an external service provider by complying with the following steps (see Appendix A, B, C and D):
• The staff member gains approval from the Data Request Committee.
• When sharing student data, the District notifies parents about their right to restrict their child’s data from being shared with such sites annually via the annual Student and Parent Resource Handbook.
• Technology Services Department either performs the data transfer or approves of the transfer method in advance.
Class III data a FERPA protected education records will be transferred to an external service only upon approval of the Data Request Committee. If the request is approved, the district will determine the means of transfer.
Any program used by the district that requires the sharing of district data must receive approval for use through the Compliance Committee. District staff should initiate requests through the TPS Tech Toolbox portal.
Service providers must execute a Data Sharing Agreement (DSA) before any data transfer occurs. The Compliance Committee manages this process.
The IT and Purchasing Departments will keep all DSA’s and MOU’s on file. Executed contracts with attached MOU’s or DSA’s will be accessible through the Purchasing database.
Electronic Mass Data Transfers:
Downloading, uploading, or transferring PII, Sensitive information, and Internal information between systems shall be strictly controlled. Requests for mass download of or individual requests for information for research or any other purposes that include PII shall be per this regulation and approved by the Data Request Committee.
The CIO and the Data Request Committee will approve all mass downloads of information. These downloads will include only the minimum amount of information necessary to fulfill the request.
A Data Sharing Agreement (DSA) shall be in place before transferring PII to external entities such as software or application vendors, textbook companies, testing companies, community partners, and research entities unless the Data Request Committee grants an exception.
Additional Electronic Data Transfers and Printing:
PII, Sensitive information, and Internal information are stored in a manner inaccessible to unauthorized individuals. Downloading, copying, printing indiscriminately, or leaving PII and Sensitive information data unattended and open to compromise is not permissible.
PII downloaded for educational purposes shall be de-identified before use when possible.
Employees who must take data out of the protected network environment (transport data on a laptop) can request permission, in advance, from their supervisor. Personnel transporting the data will be responsible for the security of the data to include theft or accidental loss.
Information transported on portable media such as flash drives, external hard drives, memory cards, or cellphones must be encrypted or password-protected while the data resides on that device.
Email is not a recommended method for transferring sensitive data. If it must be done, the data should be secured in a password-protected Zip file or another manner of password protection or encryption
Appendix K: User-Level Data Security Procedures provide additional guidelines for transporting and securing data.
4. Data Quality Controls
Job descriptions for employees entering, maintaining, or deleting data shall contain provisions addressing the need for accuracy, timeliness, confidentiality, and completeness. Jobs include, but are not limited to, human resources, finance, purchasing, school registrars, counselors, special education, nutrition services staff entering free and reduced lunch data, classroom teachers, and administrators.
It is the responsibility of all supervisors to set expectations for data quality and to evaluate their staff’s performance relative to these expectations.
Supervisors should immediately report incidents where data quality does not meet standards to their superior and any other relevant department.
All software systems owned or managed by the District and used to store, process, or analyze records are subject to strict security measures. These systems may include:
• Human Resources-Staff Management Systems
• Purchasing systems
• Finance systems
• Employee Self-Service
• Timekeeping system
• General student information system
• Special education information system
• Student nutrition information system
Data Stewards shall determine the appropriate access rights to the data and enforce compliance with these roles and permissions.
5. System Control
Systems include any computer, laptop, mobile device, printing or scanning device, network appliance/equipment, AV equipment, server, internal or external storage, communication device, or any other current or future electronic or technological device. Tacoma Public Schools shall protect all involved systems and information from misuse, unauthorized manipulation, and destruction. These protection measures may be physical or software-based.
Software, application, and website use:
The district compliance committee will approve all software used within or by Tacoma Public Schools. The software will comply with applicable licensing agreements and restrictions. Users are responsible for determining if the software is collecting student data.
Physical and electronic access to information systems containing Personally Identifiable Information (PII), Sensitive information, Internal information, and computing resources will be limited. To ensure appropriate levels of access to data by internal workers, the Data Governance Committee, in conjunction with Tacoma Public Schools, recommends implementing a variety of security measures.
Servers storing sensitive information shall remain under the oversight of the Technology Services Department. These servers include on-premises hardware, virtual servers, and cloud-based solutions. Further, these controls extend to systems designated as application testing when using live data.
Measures to control access to PII, Sensitive information, Internal information, and computing resources may include, but are not limited to, methods outlined in Appendix L: Physical and Electronic Access Control of District Technology Systems.
6. Risk Management
The consequences of a security incident affecting the district's information systems can range from trivial to severe. The loss, corruption, or inappropriate release of data can lead to critical systems and services being unable to function, which could, in turn, lead to TPS being unable to carry out core business activities. Security incidents have the potential to expose the district to substantial cost, legal issues, and loss of community trust.
A review of all Tacoma Public Schools data networks, systems, policies, and procedures will be scheduled and conducted at least once annually, or as requested by the superintendent or designee. The review shall be used to devise a plan to mitigate identified threats and risks to an acceptable level.
The review will examine the types of threats – internal or external, natural or human, electronic, and non-electronic, that affect the ability to manage and protect the information resources. This review will also document any existing vulnerabilities found within each entity, which may potentially expose the information resource to threats.
Finally, the review will include an evaluation of the information assets and the technology associated with its collection, storage, dissemination, and protection. From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity, and availability of the information is determined and addressed based on recommendations by the Data Governance Committee. The frequency of the risk management review is determined at the cabinet-level. It is the option of the superintendent or designee to conduct the analysis internally or externally, or by using a combination of the two.
7. Incident Response
An appropriate response in the event of an information security incident is crucial. Rapid response in the event of a data breach is key to ensuring the confidentiality, integrity, and availability of essential information services to ensure the continuation of daily operations.
A security incident may involve any or all the following:
• A violation of district information security policies, including breach of state or federal laws.
• Unauthorized or inappropriate access or use of an information system or data.
• Deliberate hacking.
• Loss of information confidentiality.
• Compromise of information integrity.
• Loss of information or service availability.
• Physical or logical damage to systems.
• Malware outbreaks or viruses.
• Accidental disclosure of data to unauthorized or inappropriate individuals.
Known or suspected incidents should be reported promptly via the process outlined in Appendix M: Data Breach Response.
8. Vulnerability testing:
Using district-owned or approved tools, authorized district staff will conduct vulnerability testing on a regular schedule. Technology Services will use the results to remediate any vulnerabilities that we can fix. There may be situations where fixing a vulnerability could potentially break a system or cause it to lose compatibility with other connected systems, and in those cases, we will review our options based on the risk that vulnerability poses.
The Technology Services department, or the superintendent or designee, may determine it is in the best interest of the district to perform third-party vulnerability scans to verify our internal results. In that case, the TS department will work with the Purchasing department to contract a qualified vendor to help.
Tacoma Public Schools will periodically review access controls, storage, and other
systems in response to environmental or operational changes affecting the security of electronic PII to ensure its continued protection.
10. Data Governance Training
Tacoma Public Schools shall conduct and document annual information security training.
School and District Administrators
• School and district administrators will receive refresher training on cybersecurity through Safe Schools or similar methods on an annual basis.
• School and district administrators shall contact the TS Department when unsure how to handle Class II and III information.
• School and district administrators will be informed of emerging issues regarding data security procedures through direct communications using email or the district website.
• District staff will receive annual cybersecurity training through Safe Schools or similar methods.
• New staff will complete training on district technology policies, including the district Data Security Policy within 30 days of hire.
• Department heads are expected to educate their support staff on data governance as it applies to specific department work.
• Users may receive reminders throughout the year via email or similar methods regarding malware threats and phishing scams with reminders on how to report suspected threats.
Parent and Volunteer Training
• School administrators shall educate parents, volunteers, and other groups about FERPA and student confidentiality. For instance, organizations that intend to post information about the school’s students or activities should not compromise the privacy of students
The Data Security Policy and corresponding regulation apply to all users of Tacoma Public Schools information, including employees, staff, students, volunteers, and outside affiliates. Failure to comply with this policy by employees, staff, volunteers, and outside partners may result in disciplinary action up to and including dismissal per applicable Tacoma Public Schools procedures, or, in the case of external affiliates, termination of the affiliation.
Failure to comply with this policy by students may constitute grounds for corrective action per Tacoma Public Schools policies. Further, penalties associated with state and federal laws may apply.
Possible disciplinary/corrective action may be instituted for, but is not limited to, the following:
• Unauthorized disclosure of PII or Sensitive information.
• Unauthorized disclosure of a login code (User ID and password).
• Attempting to obtain a User ID or password that belongs to another person.
• Attempting to use another person's User ID or password.
• Unauthorized use of an authorized password to invade student or employee privacy by examining records or information for which there has been no request for review.
• Installation or use of unlicensed software on Tacoma Public Schools technology systems.
• The intentional unauthorized alteration, destruction, or disposal of Tacoma Public Schools information, data, or systems. This includes the unauthorized removal from TPS of technology systems such as laptops, internal or external storage, computers, servers, backups, or other media, and copiers that contain PII or Sensitive information.
Appendix A: Internal Student Data Request Workflow
Appendix B: External Student Data Request Workflow
Appendix C: Internal Non-Student Data Request Workflow
Appendix D: External Non-Student Data Request Workflow
Appendix E: Student Data Security – Data Access
Appendix F: Non-Student Data Security – Data Access
Appendix G: Security Classifications for Common Data Categories
Appendix H: Data Classification Handling
Appendix I: Data Stewards and Designees
Data Stewards decide who will be permitted access to information. The policy requirements outlined in this document are based on the concept of “the need to know.” District information should be disclosed only to those people who have a legitimate business need. Departments are listed as a means of simplification instead of listing individual job titles.
Appendix J: Data Steward, Custodian, and Consumer Roles and Responsibilities
Data Stewards of Tacoma Public Schools data have the primary administrative and management responsibilities for segments of Tacoma Public Schools data within their functional areas. For example, the Assistant Superintendent - Human Resources has stewardship responsibility for HR data.
Stewards of Tacoma Public Schools data interpret policy, define procedures about the use and release of the data for which they are responsible, and ensure the feasibility of acting on those procedures. Stewards are responsible for defining processes and making policy interpretations for their business unit(s). Any such business-unit-specific items must, at minimum, meet Tacoma Public Schools data policy standards. They are responsible for coordinating their work with other Tacoma Public Schools departments associated with the management and security of data, such as the Technology Services department. Specific responsibilities include:
Access: Approving requests for access to TPS data within their functional area. Specifying the appropriate access procedure and ensuring necessary access rights and permissions per the data classification.
Communication: Ensuring that Consumer/Users of the data are aware of information-handling procedures.
Compliance: Complying with applicable TPS policies, legal, and regulatory requirements. Stewards must be knowledgeable about applicable laws and regulations to the extent necessary to carry out the stewardship role. Stewards must take appropriate action if incidents violating any of the above policies or requirements occur.
Consultation: Providing consulting services as needed to assist Custodians and data Consumer/Users in the interpretation and use of data elements for which the Steward is responsible.
Coordination: Ensuring that, where required, Information Security Liaisons are designated for their respective business units, specifying data management and protection requirements to Custodians of TPS data.
Data Classification: Classifying each data element per definition:
• Class I – Public Use
• Class II – Internal Use
• Class III – Sensitive
Documentation: Ensuring that documentation exists for each data element to include, at a minimum, data source, data provenance, data element business name, and data element definition.
Data Manipulation, Extracting, and Reporting: Ensuring proper use of TPS data and recommending appropriate policies regarding the manipulation or reporting of TPS data elements and implementing business unit procedures to carry out these policies.
Data Quality, Integrity, and Correction: Ensuring the accuracy and quality of data (access control, backup) and implementing programs for data quality improvement.
• Developing procedures for standardizing code values and coordinating maintenance of look-up tables used for TPS data.
• Determining update precedence when multiple sources for data exist.
• Determining the most reliable source for data.
Data Lifecycle and Retention: Ensuring appropriate generation, use, retention, and disposal of data and information consistent with TPS policies. Following the Data Security Policy and standards for disposal.
Data Stewardship: Exercising due care in the selection of TPS data Custodians to ensure these responsibilities are adequately and consistently executed. Other duties as necessary,
Data Storage: Documenting suitable storage locations and determining the archive and retention requirements for data elements.
Education: Ensuring that training in data retention, data handling, and data security is provided for employees responsible for managing the data.
Policy Implementation: Establishing specific goals, objectives, and procedures to implement the policy and monitor progress toward implementation.
Stewards of TPS data may appoint Custodians to assist with data-administration activities. A Custodian of TPS data is given specified responsibilities and receives guidance for appropriate and secure data handling from the Stewards. A Custodian has the responsibility for the day-to-day maintenance and protection of data. Specific responsibilities also include:
Access: Implementing procedures as defined by Stewards to grant access to TPS data to Consumer/Users.
Coordination: With guidance from the respective Stewards and in collaboration with technical support staff, Custodians recommend appropriate IT procedures that satisfy specified information security requirements, including legal and compliance obligations, as well as applicable TPS policies.
Data Collection and Maintenance: Collecting and maintaining complete, accurate, valid, and timely data for which they are responsible.
Data Security: Administering and monitoring access. In collaboration with technical support staff, defining mitigation and recovery procedures and promptly reporting any breaches. Coordinating data protection with the TS Information Security department as necessary.
Documentation: Writing the documentation for each data element based upon stewardship requirements, policy, and best practices. This documentation will include, at a minimum, the data source, data provenance, data element business name, and data element definition.
Education: At the direction of the Steward, providing training in data retention, data handling, and data security to employees responsible for managing the data.
Consumers/Users are employees or agents of Tacoma Public Schools who access TPS data in performance of their assigned duties. This access includes reading, entering, downloading, copying, querying, or updating data or information.
All data Consumers/Users must adhere to the following:
Confidentiality: Respecting the privacy rights of individuals when working with personal information.
Ethics: Observing the ethical restrictions that apply to records, data, and information.
Policy Adherence: Abiding by applicable laws and TPS policies concerning access, use, protection, proper disposal, and disclosure of data.
Responsible Access: Accessing and using TPS data only as required to conduct TPS business. Quickly reporting any TPS data breaches to the Customer Service Center.
Quality Control: Reviewing reports created from data to ensure that the analysis results are accurate, and the data is correctly interpreted.
Appendix K: User-Level Data Security Procedures
Securing sensitive/confidential (Class II and Class III) data used in personal workspaces maintains data security and reduces the risk of workplace security breaches. Information should be correctly secured when not being used to perform job functions.
Data users must ensure:
• All Class II and Class III information, in both hardcopy or electronic form, is secure in their work area at the end of the day.
• Computer workstation screens are locked when the workspace is unoccupied.
• Documents and computer screens are positioned to prevent inadvertent viewing of unauthorized users.
• When a desk is unoccupied, remove Class III information and place it in a locked drawer or file cabinet. Secure all Class II information at the end of each workday.
• File cabinets containing Class III information must be closed and locked when not in use.
• Do not leave keys used to access Class III information at an unattended desk.
• Laptops must be either locked with a locking cable or locked away in a drawer.
• Do not leave user ID’s or passwords on sticky notes posted on or under a computer or in an accessible location.
• Immediately remove printouts containing Class III information from the printer or fax machine. Class II documents should be removed from the printer/fax as soon as practical.
• Shred all Class II and Class III documents in the proper shredder bins or place in locked, private disposal bins when retired.
• Irretrievable erase all Class III electronic documents from any storage media.
• Delete all Class II electronic documents using standard deletion commands or utilities.
• Erase all whiteboards containing Class II or Class III information.
• Secure all mass storage devices such as external hard drives or USB drives in a locked drawer when not in use.
• Lock all personal computing devices capable of accessing district data, such as cell phones, when not in use.
• Tacoma Public Schools staff shall be aware of their surroundings when discussing PII and Sensitive information. Communication includes but is not limited to the use of cellular telephones in public areas.
• Don’t discuss PII or Sensitive information in public areas. Use caution when sharing PII and Sensitive information in semiprivate rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.
Appendix L: Physical and Electronic Access Control of District Technology Systems
Mechanisms to control access to PII, Sensitive information, Internal information, and computing resources may include, but are not limited to, the following methods:
• Where possible, access to a computer and network systems containing PII, Sensitive, or Internal information will be limited by physical means. Security could include door and window locks and locking cabinets.
• Controls shall be in place to authenticate the identity of users and to validate each user’s authorization before allowing the user to access information or services on the system.
• Users should not leave devices logged in, unattended, and open to unauthorized use.
• Systems that may contain district information shall be disposed of or moved with guidance from the Technology Services Department.
• Storage media containing sensitive (i.e., restricted or confidential) information shall be blank before reassigning that medium to a different user or disposing of it when no longer used. Simply deleting the data from the media is not sufficient. Irretrievably erase all electronic documents from any storage media before re-use or disposal.
• When disposing of media containing data that cannot be erased, the media must be destroyed in a manner approved by the Information Security department.
• Users wishing to surplus technology will notify the Technology Services department through the Customer Service Center to arrange for pick-up. Data will be destroyed using best practices, and the recycler shall provide documentation on the destruction of any data.
• The TS department secures access to software, computers, servers, and the network by implementing multiple layers of security, including, but not limited to, firewalls, filters, gateways, software patch maintenance, password policies, and virus scanning software.
• Users shall not turn off or disable Tacoma Public Schools protection systems or install other systems unless directed by the TS Department.
Data should be encrypted while in transit and at rest. Data encryption may be accomplished using technologies such as HTTPS/SSL, SFTP, wireless encryption, encrypted hard drives, and encrypted files.
Appendix M: Data Breach Response
Suspected theft, data breach or exposure of TPS Class II or Class III data
Individuals who suspect a theft, breach, or exposure of Tacoma Public Schools Class II or Class III data occurred must immediately provide notice to the Customer Service Center (CSC) HELP desk. Users must describe the incident by calling 253-571-4357 or submitting a report using the Customer Service Center self-service option found on the district webpage. The CSC will create a work order for the district Information Security department. This team will investigate all reported thefts, data breaches, and exposures to confirm if a theft, breach, or exposure occurred. If a theft, breach, or exposure has occurred, the Information Security department will follow department procedures.
Confirmed theft, data breach or exposure of TPS Class III or Class II data
When a theft, data breach, or exposure containing Tacoma Public School’s Class II or Class III data is confirmed, all access to that resource will cease.
The Chief Information Officer (CIO) will chair an incident response team to handle the breach or exposure.
The team will include members from:
• Information Security
• Infrastructure and Cloud Services
• Finance (if applicable)
• Data and Web Services
• Student Services (if student data is affected)
• Human Resources
• The affected unit, or department, using the involved system or output involved in the data breach
• Additional departments, or individuals, as deemed necessary by the CIO or superintendent
A representative from the Incident Response Team will notify the superintendent of the theft, breach, or exposure. The Information Security Department, along with the designated forensic team, will analyze the breach or exposure to determine the root cause.
Tacoma Public Schools will provide access to forensic investigators and experts that will determine how the breach or exposure occurred, the types of data involved, the number of internal/external individuals or organizations impacted, and analyze the breach or exposure to determine the root cause.
The incident response team will coordinate with the Communications Department, Legal, Human Resources, and any other relevant departments to establish the best method of communication regarding the breach to internal employees, students, parents, the public, and those directly affected.
Adoption Date: 11/19/2019