1602 Network and Internet Security
A. Applicability - This policy applies to all employees, contractors, consultants, temporaries and volunteers who use the internal network and/or the Internet with district computing or networking resources. All users are expected to be familiar with and fully comply with this policy. Violations of this policy can lead to disciplinary action up to an including termination.
B. Prior Management Approval - In order to receive Internet access privileges, an employee must have on file in the Human Resources Department a signed Internet Use Agreement.
RELIABILITY INFORMATION OBTAINED FROM THE INTERNET
A. Information Reliability - All information acquired from the Internet must be considered suspect until confirmed by separate information from another source. Before using free Internet-supplied information for business decision-making purposes, employees should corroborate the information by consulting other sources.
B. Software Downloading - Union Public Schools can automatically audit all software residing on any district- owned computer systems. Employees must not install software on the district-supplied computers without approval from the Executive Director of Technology or has been approved and posted to the “Approved Software List”, When unapproved or unlicensed software is found, it will be removed from the district’s computer system.
C. Spoofing Users - Before employees use information obtained from the Internet or from e-mail, the identity of the individuals and organizations contacted should be confirmed. Identity confirmation is ideally performed through digital signatures or digital certificates, but in cases where these are not available, other means such as letters on official stationery, third-party references and telephone conversations may be used.
D. Electronic Mail Attachments - Employees should not open electronic mail attachments unless they were expected from a trusted sender.
INTELLECTUAL PROPERTY RIGHTS
Copyrights - When at work or when district computing or networking resources are employed, copying of software in a manner that is not consistent with the vendor’s license is strictly forbidden. The reproduction, forwarding or in any other way republishing or redistributing words, graphics or other copyrighted materials must be done only with the permission of the author or owner. Employees must assume that all materials on the Internet are copyrighted unless specific notice states otherwise. When information from the Internet is integrated into internal reports or used for other purposes, all material must include an appropriate citation and specifics about the source of the information.
ACCESS CONTROL
A. Inbound User Authentication - All users wishing to establish a real-time connection with the district’s internal computers through the Internet must employ a solution approved by the Executive Director of Technology that can encrypt all traffic exchanged. The solution must authenticate and authorize remote users before permitting access to the district’s internal network. Designated public systems do not need user authentication processes because anonymous interactions are expected.
B. Remote Machine Security - Employees whose computer does not have the required software patches or upgrades or whose systems are virus-infested must be disconnected from the district network until they have reestablished a secure computing environment. The computers used by all employees employing VPN technology must have all software updated and patched.
C. Restriction Of Third-Party Access - Inbound Internet access privileges will not be granted to third-party vendors, contractors, consultants, temporaries, outsourcing organization personnel or other third parties unless the relevant administrator determines that these individuals have a legitimate business need for such access and it has been approved by the IT Department. These privileges must be enabled only for specific individuals and only for the time period required to accomplish approved tasks.
PERSONAL USE
A. Personal Use - Employees shall not abuse Internet access. Games, news groups, social media, and other non-business activities must be performed on personal, not district time. Minimal use of district computing resources for these personal purposes is permissible. No Union Public Schools business activity is to be preempted by the personal use, and the usage is not likely to cause either a hostile working environment or a poor behavioral example. Employees must not employ the Internet or other internal information systems in such a way that the productivity of other employees is eroded. Examples of this include chain letters and broadcast charitable solicitations. Union Public Schools computing resources must not be resold to other
parties. Also, they shall not be used for running a personal commercial business during the employee’s work day. No district computer shall be used for mining, acquiring, buying, selling, or trading in cryptocurrency.
B. Offensive Web Sites - Union Public Schools is not responsible for the content that employees may encounter when they use the Internet. When and if users make a connection with websites containing objectionable content, they must promptly move to another site or terminate their session. Employees using Union Public Schools computers who discover they have connected with a website that contains sexually explicit, racist, sexist, violent or other potentially offensive material must immediately disconnect from that site.
C. The user is responsible for all media, internet usage, downloads, file creation, file deletion, file sharing, file storage, and other actions that involve the use of the device.
D. Blocking Sites and Content Types - The ability to connect with a specific website does not in itself imply that users of Union Public Schools systems are permitted to visit that site. The district may, at its discretion, restrict or block websites and the downloading of certain file types that are likely to cause network service degradation.
PRIVACY EXPECTATIONS
Users must have no expectation of privacy when using information systems provided by Union Public Schools. To manage systems and enforce security, the district may log, review and otherwise utilize any information stored on or passing through its systems. Union Public Schools may capture user activity such as websites visited. In order to make this clear to all computer users, the following message is displayed whenever employees log on to the Union network from a Union computer:
This is a Union Public Schools (I-009) owned computer system. This computer system, including all related equipment, networks and network devices (specifically Internet access), is provided only for authorized use. Union Public Schools’ computer systems are monitored for all lawful purposes, including ensuring that their use is authorized, for management of the system, to facilitate protection against unauthorized access and to verify security procedures, survivability and operational security. Monitoring includes active attacks by authorized Union Public Schools’ entities to test or verify the security of this system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored and become property of Union Public Schools. Use of this computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may lead to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or adverse action. Use of this system constitutes consent to monitoring for these purposes.
A. No Default Protection - Employees using Union Public Schools information systems or the Internet must realize that their communications are not automatically protected from viewing by third parties. Unless encryption
is used, employees should understand that any data including confidential or private information may be intercepted by third-party individuals or organizations.
B. Management Review - At any time and without prior notice, Union Public Schools reserves the right to examine electronic mail messages, files on personal computers, web browser cache files, web browser bookmarks, logs of websites visited, computer system configurations and other information stored on or passing through Union Public Schools computers.
C. Logging - Union Public Schools logs all websites visited, files downloaded, time spent on the Internet and related information. The Superintendent or designee may request, from the IT Department, reports of such information on any employee in their area. The IT Department may also archive network access activity to files and directories for certain Federal compliances. Such logging could include username, date of access, and whether or not the user modified data.
D. Junk Electronic Mail - Users must not use district computer systems for the transmission of unsolicited bulk electronic mail advertisements or commercial messages without the permission of the Superintendent or designee. These prohibited messages include a wide variety of unsolicited promotions and solicitations such as chain letters, pyramid schemes and direct marketing pitches. When employees receive unwanted and unsolicited internal electronic mail of this type, they should refrain from responding directly to the sender.
E. Public WiFi - When connecting to any public WiFi (Hotel, Conference, etc.) there shall be no expectations of privacy.
PHYSICAL SECURITY
A. In accordance with Federal law, no desktop phone shall be moved unless by an authorized employee of the Technology department. All phones are programmed to report the actual room number in case of a 911 or emergency call.
B. No employee shall ever use a software-based phone or app based phone to call for emergency help. If emergency help is needed, the employee must use their personal cell phone or land line to request emergency help.
REPORTING SECURITY PROBLEMS
A. Notification Process - If sensitive Union Public Schools information is lost, disclosed to unauthorized parties or suspected of either, the IT Department must be notified immediately. If any unauthorized use of Union Public Schools information systems has taken place or is suspected of taking place, the IT Department must be notified immediately.
B. False Security Reports - Employees in receipt of information about system vulnerabilities must forward it to the IT Department, who then will determine what, if any, action is appropriate. Employees must not personally redistribute system vulnerability information to other users.
C. Testing Controls - Employees must not test or probe security mechanisms at either Union Public Schools or other Internet sites unless they have obtained written permission from the IT Department. The possession or the usage of tools for detecting information system vulnerabilities, or tools for compromising information security mechanisms, is prohibited without the advance permission of the IT Department.
MULTI-FACTOR AUTHENTICATION (MFA)
A. Email Connectivity: All employees must authenticate through two different authentication processes prior to accessing email. All employees that wish to use Union Public Schools’ email system will be required to:
a. Register a device or alternative contact to provide a secure method for the District or their services to contact the employee during the authentication (logon) process, such as a cellphone that can receive texts, a District Specified app, or a landline phone;
b. When attempting to log into a Union Public School owned system protected by MFA, the system will “challenge” the employee by requesting a secret security code. This code will be provided through the secure method selected during registration or as a confirmation request in the MFA application.
B. Remote Connectivity: All remote netword access will be required to use MFA to authenticate and validate all users prior to remotely connecting to the district infrastructure. Remote connections include, but not limited to, any inbound VPN connection, remote screen sharing utility, ssh connection, telnet, or remote desktop protocol.
C. Administrative access to local computers/servers: Any user that requires local administrative rights to a computer or server, will be required to contact the Technology Department to determine what extent they will need to use MFA to gain access to the local sources where applicable and feasible as determined by the Executive Director of Technology.
D. Infrastructure Administrative Access: Prior to any employee gaining administrative access to the district’s directory services, firewalls, routers, switches, access points, servers, or backup environment, the employee must contact the Technology department to ensure their account has access and that their account had been set to force MFA where applicable and feasible as determined by the Executive Director of Technology.
Adopted 12/13/04
Revised 1/16/06
Revised 2/12/07
Revised 12/10/07
Revised 12/12/11
Revised 12/9/13
Revised 12/14/15
Revised 12/11/17
Revised 12/9/19
Revised 12/14/2020
Revised 12/13/21
Revised 12/12/22