TALLAPOOSA COUNTY

SCHOOLS

Data Governance Policy

Board Approved August 7, 2017

 

 

TABLE OF CONTENTS

 

 

Policy …………………………………………………………………………….. 3

Scope …………………………………………………………………………..…. 4

Risk Management ……………………………………………………………….... 6

Information Security Definitions …………………………………………………. 6

Information Security Responsibilities ..…………………………………………... 7

Data Classifications ..……………………………………………………………..  9

Computer and Information Control ……………………………………..………..11

Data Quality ……………………………………………………………..…….....18

 

I.  POLICY

It is the policy of Tallapoosa County Schools that information, as defined hereinafter, in all its forms--written, recorded electronically, or printed--shall be protected from accidental or intentional unauthorized modification, destruction, or disclosure throughout its life cycle.  This protection shall include an appropriate level of security over the equipment and software used to process, store, and transmit that information. The terms data and information are used separately, together, and interchangeably throughout the policy. The intent is the same.

The data governance policies and procedures must be documented and reviewed annually by the data governance committee.  Tallapoosa County Schools will conduct annual training on their data governance policy and a document that training.

 

Data Governance Committee

2015-2017

 The Tallapoosa County Schools 2015-2016 Data Governance committee consists of Mr. Joseph Windle, Superintendent, Tallapoosa County Schools, Joel Padgett, Technology Coordinator, Nancy Hatcher, Director of Personnel, Casey Davis, Director of Student Support Services, Vacant, CSFO, Lisa Heard, Special Education Coordinator, Tammy Templeton, Lead Nurse Student Health Services, Karen McMath, Assistant Principal, Horseshoe Bend School, Kathy Ledbetter, Assistant Principal, Reeltown High School, Chris Hand, Principal Dadeville High School, Dr. Chris Dark, Principal Dadeville Elementary School, Amy Taylor, Counselor, Dadeville High School and Chad McKelvey, Principal, Edward Bell Career Tech Center.

 

For the 2015-2017 year, Nancy Hatcher is the Data Governance Committee Chair, Amy Taylor is Secretary, and Casey Davis is Data Manager. 

 

All members of the Tallapoosa County Schools Administrative Team will serve in an advisory capacity to the committee and will be called upon to attend meetings when the topic of the meeting requires his or her expertise.

Committee Meetings
The Data Governance Committee will meet at least twice each school year. Additional meetings will be scheduled as needed.

 

II.  SCOPE

The superintendent is authorized to establish, implement, and maintain data and information security measures. The policy, standards, processes, and procedures apply to all students and employees of the district, contractual third parties, and agents of the district who have access to district information systems or information.

This policy applies to all forms of Tallapoosa County Schools' data and information, including but not limited to:

• Speech, spoken face to face, or communicated by phone or radio,
• Hard copy data printed or written on paper,
• Communications sent by post/courier, fax, electronic mail, text, chat and or any form of social media, etc.,
• Data stored and processed by servers, PC’s, laptops, tablets, mobile devices, etc.,
• Stored on any type of removable media or cloud-based services.

 

Regulatory Compliance

Tallapoosa County Schools will abide by any law, statutory, regulatory, or contractual obligations affecting its information systems.

 

CIPA, the Children’s Internet Protection Act was enacted by Congress in 2000 to address concerns about children’s access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program.  Schools subject to CIPA have two additional certification requirements: 1) their Internet safety policies must include monitoring the online activities of minors; and 2) as required by the Protecting Children in the 21st Century Act, they must provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms and cyberbullying awareness and response. For more information, see: hhtp://www.fcc.gov/guides/childrens-internet-protection-act

           

COPPA, the Children’s Online Privacy Protection Act, regulate operators of commercial websites or online services directed to children under 13 that collect or store information about children.  Parental permission is required to gather certain information; see www.coppa.org for details.

           

FERPA, the Family Educational Rights and Privacy Act apply to all institutions that are recipients of federal aid administered by the Secretary of Education.  This regulation protects student information and accords student's specific rights with respect to their data. For more information, see: http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

           

HIPAA, the Health Insurance Portability and Accountability Act, applies to organizations that transmit or store Protected Health Information (PII).  It is a broad standard that was originally intended to combat waste, fraud, and abuse in health care delivery and health insurance but is now used to measure and improve the security of health information as well.  For more information, see: http://www.hhs.gov/ocr/privacy/hipaa/understanding/           

 

Protection of Pupil Rights Amendment affords parents and minor students’ rights regarding the district’s conduct of surveys, collection and use of information for marketing purposes, and certain physical exams. These include the right to the following:

 

Consent before students are required to submit to a survey that concerns one or more of the following protected areas (“protected information survey”) if the survey is funded in whole or in part by a program of the U.S. Department of Education (ED)–

1. Political affiliations or beliefs of the student or student’s parent;
2. Mental or psychological problems of the student or student’s family;
3. Sex behavior or attitudes;
4. Illegal, anti-social, self-incriminating, or demeaning behavior;
5. Critical appraisals of others with whom respondents have close family relationships;
6. Legally recognized privileged relationships, such as with lawyers, doctors, or ministers;
7. Religious practices, affiliations, or beliefs of the student or parents; or
8. Income, other than as required by law to determine program eligibility.

Receive notice and an opportunity to opt a student out of –

1. Any other protected information survey, regardless of funding;
2. Any non-emergency, invasive physical exam or screening required as a condition of attendance, administered by the school or its agent, and not necessary to protect the immediate health and safety of a student, except for hearing, vision, or scoliosis screenings, or any physical exam or screening permitted or required under State law; and
3. Activities involving collection, disclosure, or use of personal information obtained from students for marketing or to sell or otherwise distribute the information to others.

For more information, see: http://www2.ed.gov/policy/gen/guid/fpco/ppra/index.html

 

ALABAMA RECORDS DISPOSITION AUTHORITY

Alabama Law Section 41-13-23 authorized the Alabama Department of Archives and History to publish rules for Local Government Records Destruction. For more information: http://www.archives.alabama.gov/officials/localrda.html.

 

            Payment Card Industry Data Security Standard (PCI DSS) was created by a consortium of payment brands including American Express, Discover, MasterCard, and Visa.  It covers the management of payment card data and is relevant for any organization that accepts credit card payments.  See www.pcisecuritystandards.org for more information.

 

III.       RISK MANAGEMENT

 

1. A thorough analysis of all Tallapoosa County Board of Education information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats – internal or external, natural or manmade, electronic and non-electronic-- that affect the ability to manage the information resource.  The analysis will also document the existing vulnerabilities within each entity, which potentially expose the information resource to threats.  Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination, and protection.

From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity, and availability of the information will be determined.  The frequency of the risk analysis will be determined at the entity level.

1. The Superintendent or designee will administer periodic risk assessments to identify, quantify, and prioritize risks. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities.

 

1. INFORMATION SECURITY DEFINITIONS

Affiliated Covered Entities: Legally separate, but affiliated, covered entities which choose to designate themselves as a single covered entity for purposes of HIPAA. 

 

Availability: Data or information is accessible and usable upon demand by an authorized person.

Confidentiality: Data or information is not made available or disclosed to unauthorized persons or processes.

HIPAA: The Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. A key goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards.

Integrity: Data or information has not been altered or destroyed in an unauthorized manner.

Involved Persons: Every user of Involved Systems – at Tallapoosa County Board of Education, no matter what their status. This includes nurses, physicians, residents, students, employees, contractors, consultants, temporaries, volunteers, interns, substitutes, student teachers, etc.

Involved Systems: All computer equipment and network systems that are operated within the Tallapoosa County Board of Education environment both physically and virtually. This includes all platforms (operating systems), all computer sizes (personal digital assistants, desktops, mainframes, etc.), and all applications and data (whether developed in-house or licensed from third parties) contained on those systems.

Personally Identifiable Information (PII): PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Risk:   The probability of a loss of confidentiality, integrity, or availability of information resources.  Data:  Facts or information Entity:  Organization such as school system, school, department or in some cases businesses Information:  Knowledge that you get about something or someone; facts or details.

 

1. INFORMATION SECURITY RESPONSIBILITIES

 

Data Governance Committee:  The Data Governance Committee for Tallapoosa County Schools is responsible for working with the Information Security Officer to ensure security policies, procedures, and standards are in place and adhered to by the entity.  Other responsibilities include:

1. Reviewing the Data Governance Policy annually and communicating changes in the policy to all involved parties.

2. Educate data custodians and manage owners and users with comprehensive information about security controls affecting system users and application systems.

 

Information Security Officer:   The Information Security Officer for Tallapoosa County Schools is responsible for working with the superintendent, Data Governance Committee, user management, owners, data custodians, and users to develop and implement prudent security policies, procedures, and controls.  Specific responsibilities include:

 

1. Providing basic security support for all systems and users.
2. Advising owners in the identification and classification of technology and data-related resources.

3. Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design, through testing and production implementation.

4. Performing or overseeing security audits.
5. Reporting regularly to the superintendent and Tallapoosa County Schools Data Governance Committee on Tallapoosa County Schools’ status with regard to information security.

 

User Management:  Tallapoosa County Schools’ administrators are responsible for overseeing their staff use of information and systems, including:

 

1. Reviewing and approving all requests for their employees’ access authorizations.
2. Initiating security change requests to keep employees’ secure access current with their positions and job functions.

3. Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures.

4. Revoking physical access to terminated employees, I.E., confiscating keys, changing combination locks, etc.

5. Providing employees with the opportunity for training needed to properly use the computer systems.

6. Reporting promptly to the ISO and the Data Governance Committee the loss or misuse of Tallapoosa County Schools’ information.

7. Initiating corrective actions when problems are identified.
8. Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any technology or data system/software to manage information.

9. Following all privacy and security policies and procedures.

 

Information Owner:  The owner of a collection of information is usually the administrator or supervisor responsible for the creation of that information.  In some cases, the owner may be the primary user of that information.  In this context, ownership does not signify proprietary interest, and ownership may be shared.  The owner may delegate ownership responsibilities to another individual by completing the Tallapoosa County Schools Information Owner Delegation/Transfer Request Form and submitting the form to the Data Governance Committee for approval.  The owner of the information has the responsibility for:

 

1. Knowing the information for which she/he is responsible.
2. Determining a data retention period for the information, relying on ALSDE guidelines, industry standards, Data Governance Committee guidelines, or advice from the school system attorney.

3. Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created.

4. Authorizing access and assigning data custodianship if applicable.
5. Specifying controls and communicating the control requirements to the data custodian and users of the information.

6. Reporting promptly to the ISO the loss or misuse of Tallapoosa County Schools’ data.
7. Initiating corrective actions when problems are identified.
8. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.

9. Following existing approval processes within the respective organizational unit and district for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.

 

Data Custodian:  The data custodian is assigned by an administrator, data owner, or the ISO based on his/her role and is generally responsible for the processing and storage of the information.  The data custodian is responsible for the administration of controls as specified by the owner.  Responsibilities may include: 

1. Providing and/or recommending physical safeguards.
2. Providing and/or recommending procedural safeguards.
3. Administering access to information.
4. Releasing information as authorized by the Information Owner and/or the ISO and/or Data

     Governance Committee for use and disclosure using procedures that protect the privacy of the information.

5. Maintaining information security policies, procedures, and standards as appropriate and in consultation with the ISO and/or Data Governance Committee.

6. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.

7. Reporting promptly to the ISO and/or Data Governance.
8. Identifying and responding to security incidents and initiating appropriate actions when problems are identified.

 

 

 

User:  The user is any person who has been authorized to read, enter, print, or update information.  A user of information is expected to:

1. Access information only in support of their authorized job responsibilities.
2. Comply with all data security procedures and guidelines in the Tallapoosa County Schools Data Governance Policy and all controls established by the data owner and/or data custodian.

3. Keep personal authentication devices (e.g. passwords, secure cards, PINs, access codes, etc.) confidential.

4. Report promptly to the ISO and/or Data Governance Committee the loss or misuse of Tallapoosa County Schools’ information.

5. Follow corrective actions when problems are identified
6. Data Classification

Classification is used to promote proper controls for safeguarding the confidentiality of data. Regardless of classification, the integrity and accuracy of all classifications of data must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the data. Data must be classified according to the most sensitive detail it includes. Data recorded in several formats (e.g., source document, electronic report) must have the same classification regardless of format. The following levels are to be used when classifying data.

 

1. Personally Identifiable Information (PII)
2. PII is information about an individual maintained by an agency including:
3. Any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date, and place of birth, mother’s maiden name, or biometric records.
4. Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
5. Unauthorized or improper disclosure, modification, or destruction of this information could violate state and federal laws, result in civil and criminal penalties, and cause serious legal implications for Tallapoosa County Schools.
7. Confidential Information

1. Confidential Information is a very important and highly sensitive material that is not classified as PII. This information is private and otherwise sensitive in nature and shall be restricted to those with a legitimate business need for access. Examples of Confidential Information may include personnel information, key financial information, proprietary information of commercial research sponsors, system access passwords, and information file encryption keys.
2. Unauthorized disclosure of this information to people without a business need for access may violate laws and regulations or may cause significant problems for Tallapoosa County Schools, its staff, parents, students including contract employees, or its business partners. Decisions about the provision of access to this information shall always be cleared through the information owner and/or Data Governance Committee.

 

1. Internal Information

1. Internal Information is intended for unrestricted use within Tallapoosa County Schools, and in some cases within affiliated organizations such as Tallapoosa County Schools’ business or community partners. This type of information is already widely distributed within Tallapoosa County Schools, or it could be so distributed within the organization without advance permission from the information owner. Examples of Internal Information may include personnel directories, internal policies and procedures, and most internal electronic mail messages.
2. Any information not explicitly classified as PII, Confidential, or Public will, by default, be classified as Internal Information.
3. Unauthorized disclosure of this information to outsiders may not be appropriate due to legal or contractual provisions.

 

1. Public Information

1. Public Information has been specifically approved for public release by a designated authority within each entity of Tallapoosa County Schools. Examples of Public Information may include marketing brochures and materials posted to Tallapoosa County Schools’ web pages.
2. This information may be disclosed outside of Tallapoosa County Schools.

 

1. Directory Information
2. The Family Educational Rights and Privacy Act (FERPA) requires Tallapoosa County Schools, with certain exceptions, to obtain parental written consent prior to the disclosure of PII from a student’s education records. However, Tallapoosa County Schools may disclose appropriately designated directory information without written consent, unless parents have advised the district to the contrary in accordance with District procedures.
3. The primary purpose of directory information is to allow Tallapoosa County Schools to include this type of information from a student’s education records in certain school publications. Publications may be in print or digital format. Examples of publications include, but are not limited to the following: a playbill, yearbook, honor roll or other recognition lists, graduation programs, and sports activity sheets showing the height and weight of team members.
4. Directory information can also be disclosed to outside organizations without a parent’s written consent. Outside organizations include, but are not limited to, companies that manufacture class rings, publish yearbooks, take school pictures or process data.
5. Tallapoosa County Schools defines Directory Information as follows:
6. Student first and last name
7. Student gender
8. Student home address
9. Student home telephone number
10. Student school-assigned monitored and filtered email address
11. Student photograph
12. Student place and date of birth
13. Student grade level
14. Student dates of attendance (years)
15. Student grade level
16. Student diplomas, honors, and awards received
17. Student participation in school activities or school sports
18. Student weight and height for members of school athletic teams
19. Student most recent institution/school attended
20. Student ID number

VII.       COMPUTER AND INFORMATION CONTROL

All involved systems and information are assets of Tallapoosa County Schools and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software-based.

1. Ownership of Software: All computer software developed by Tallapoosa County Schools employees or contract personnel on behalf of Tallapoosa County Schools, licensed or purchased for Tallapoosa County Schools use is the property of Tallapoosa County Schools and shall not be copied for use at home or any other location unless otherwise specified by the license agreement.
2. Installed Software: All software packages that reside on technological systems within or used by Tallapoosa County Schools shall comply with applicable licensing agreements and restrictions and shall comply with Tallapoosa County Schools’ acquisition of software procedures.

*See also Appendix A (Acquisition of Software Procedures)

*See also Appendix B (Virus, Malware, Spyware, Phishing and SPAM Protection)

1. Virus, Malware, Spyware, Phishing and SPAM Protection: Virus checking systems approved by the District Technology Department are deployed using a multi-layered approach (computers, servers, gateways, firewalls, filters, etc.) that ensures all electronic files are appropriately scanned for viruses, malware, spyware, phishing, and SPAM. Users shall not turn off or disable Tallapoosa County Schools’ protection systems or install other systems.
2. Access Controls: Physical and electronic access to information systems that contain PII, Confidential and Internal information, and computing resources is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures will be instituted as recommended by the data governance committee and approved by Tallapoosa County.  In particular, the data governance committee shall document roles and rights to the student information system and other like systems.  Mechanisms to control access to PII, Confidential and Internal information include (but are not limited to) the following methods:
3. Authorization: Access will be granted on a “need to know” basis and shall be authorized by the superintendent, principal, immediate supervisor, or Data Governance Committee with the assistance of the Technology Director and/or Information Security Officer (ISO.) Specifically, on a case-by-case basis, permissions may be added to those already held by individual users in the student management system, again on a need-to-know basis and only in order to fulfill specific job responsibilities, with approval of the Data Governance Committee.
   

Any of the following methods are acceptable for providing access under this policy:

1. Context-based access: Access control based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The “external” factors might include the time of day, location of the user, the strength of user authentication, etc.
2. Role-based access: An alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization’s structure and business activities. Each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.
3. User-based access: A security mechanism used to grant users of system access based upon the identity of the user.
4. Identification/Authentication: Unique user identification (user ID) and authentication are required for all systems that maintain or access PII, Confidential information, and/or Internal Information. Users will be held accountable for all actions performed on the system with their User ID. User accounts and passwords shall NOT be shared.
   
5. Data Integrity: Tallapoosa County Schools provides safeguards so that PII, Confidential, and Internal Information is not altered or destroyed in an unauthorized manner. In addition, listed below are methods that are used for data integrity in various circumstances:

• transaction audit
• disk redundancy (RAID)
• data encryption
• data wipes

4. Transmission Security: Technical security mechanisms must be put in place to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks. The following features must be implemented:
5. integrity controls and
6. encryption, where deemed appropriate

Note:  Only Tallapoosa County district-supported email accounts shall be used for communications to and from school employees, to and from parents or other community members, to and from educational agencies, to and from vendors or other associations, and to and from students for school business.

5. Remote Access: Access into the Tallapoosa County network from outside will be granted using Tallapoosa County-approved devices and pathways on an individual user and application basis. All other network access options are strictly prohibited. Further, PII, Confidential and/or Internal Information that is stored or accessed remotely must maintain the same level of protection as information stored and accessed within the Tallapoosa County network.
6. Physical Access: Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals.

The following physical controls must be in place:

1. Computer systems must be installed in an access-controlled area. The area in and around the computer facility must afford protection against fire, water damage, and other environmental hazards such as power outages and extreme temperature situations.
2. File servers containing PII, Confidential, and/or Internal Information must be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.
3. Workstations or personal computers (PC) must be secured against use by unauthorized individuals. Local procedures and standards must be developed on secure and appropriate workstation use and physical safeguards.
4. Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed while ensuring that properly authorized access is allowed. Local policies and procedures must be developed to address the following facility access control requirements:
5. Contingency Operations – Documented procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
6. Facility Security Plan – Documented policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
7. Access Control and Validation – Documented procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
8. Maintenance records – Documented policies and procedures to document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks).
9. Physical Security

            Controls are implemented to protect information system resources, the facility housing those resources, and the facilities used to support their operation. To protect against loss of control over system integrity and system availability, organizations need to address physical access controls, environmental controls, fire safety and protect systems and data storage media from theft.

OBJECTIVE:

This policy communicates the essential aspects of physical security of computing equipment and data storage media that must be practiced by all information technology organizations to safeguard the integrity and availability of State information system resources and data.

RESPONSIBILITIES:

Agency Management, Information Technology Organization:

• Ensure computer systems and network equipment are properly secured to prevent unauthorized physical access and data is properly safeguarded to protect from loss.
• Control access to areas containing servers, data stores, and communications equipment. Access to secured areas shall be controlled by the use of access card keys, access code keypads, or key locks with the limited key distribution. A record shall be maintained of all personnel who have authorized access.
• Closely control keys (where utilized). If a key is reported as missing, change or re-key the corresponding lock(s).
• Change access codes, where utilized, at least every 120 days or immediately upon removing someone from the authorized access list.
• Maintain a log of all visitors granted entry into secured areas or areas containing sensitive or confidential data (e.g., data storage facilities). Record the visitor’s name, organization, and the name of the person granting access. Retain visitor logs for no less than 6 months.
• Ensure visitors are escorted by a person with authorized access to the secured area.
• Ensure each facility containing computer and communications equipment has an appropriate fire suppression system and/or a class C fire extinguisher readily available and in working order.
• Store equipment above the floor, in racks whenever feasible, or on a raised floor to prevent damage from dampness or flooding. Use of water/moisture sensors is recommended.
• Monitor and maintain data center temperature and humidity levels. The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) recommends an inlet temperature range of 68 to 77 degrees and relative humidity of 40% to 55%.
• Store electronic media is secured and environmentally controlled areas, in fire-safe containers whenever feasible. Backup/archive media shall, whenever feasible, be stored in a secure off-site storage facility.
• Monitor and control the delivery and removal of all asset-tagged and/or data-storing IT equipment. Maintain a record of all such items entering or exiting their assigned location.
• Ensure that equipment being removed for transfer to another organization or being designated as surplus property is appropriately sanitized in accordance with applicable policies and procedures.

 

 

7. Emergency Access:
8. Each entity is required to establish a mechanism to provide emergency access to systems and applications in the event that the assigned custodian or owner is unavailable during an emergency.
9. Procedures must be documented to address:
10. Authorization,
11. Implementation, and
12. Revocation
13. Equipment and Media Controls: The disposal of information must ensure the continued protection of PII, Confidential, and Internal Information.  Each entity must develop and implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain PII into and out of a facility, and the movement of these items within the facility.  The following specification must be addressed:  * See also Appendix C

 

1. Information Disposal / Media Re-Use of:
2. Hard copy
3. Magnetic media (floppy disks, hard drives, zip disks, etc.) and
4. CD ROM Disks
5. Flash Drives
6. Accountability: Each entity must maintain a record of the movements of hardware and electronic media and any person responsible therefore.
7. Data backup and Storage: When needed, create a retrievable, exact copy of electronic PII before movement of equipment.
8. Other Media Controls:
9. PII and Confidential Information stored on external media (diskettes, cd-ROMs, portable storage, memory sticks, etc.) must be protected from theft and unauthorized access. Such media must be appropriately labeled so as to identify it as PII or Confidential Information. Further, external media containing PII and Confidential Information must never be left unattended in unsecured areas.
10. PII and Confidential Information must never be stored on mobile computing devices (laptops, personal digital assistants (PDA), smartphones, tablet PC’s, etc.) unless the devices have the following minimum security requirements implemented: *See also Appendix D
11. Power-on passwords
12. Auto logoff or screen saver with password
13. Encryption of stored data or other acceptable safeguards approved by Information Security Officer

Further, mobile computing devices must never be left unattended in unsecured areas.

3. If PII or Confidential Information is stored on external medium or mobile computing devices and there is a breach of confidentiality as a result, then the owner of the medium/device will be held personally accountable and is subject to the terms and conditions of Tallapoosa County Schools. Information Security Policies and Confidentiality Statement signed as a condition of employment or affiliation with Tallapoosa County.
4. Data Transfer/Exchange/Printing:
5. Electronic Mass Data Transfers: Downloading, uploading, or transferring PII, Confidential, and Internal Information between systems must be strictly controlled. Requests for mass downloads of, or individual requests for, information for research or any other purposes that include PII must be in accordance with this policy and be approved by the data governance committee. All other mass downloads of information must be approved by the Application Owner and include only the minimum amount of information necessary to fulfill the request. A memorandum of Agreements (MOA) must be in place when transferring PII to external entities.
6. Other Electronic Data Transfers and Printing: PII, Confidential, and Internal Information must be stored in a manner inaccessible to unauthorized individuals. PII and Confidential information must not be downloaded, copied, or printed indiscriminately, or left unattended and open to compromise. PII that is downloaded for educational purposes where possible should be de-identified before use.
7. Oral Communications: Tallapoosa County staff should be aware of their surroundings when discussing PII and Confidential Information.  This includes the use of cellular telephones in public areas.  Tallapoosa County staff should not discuss PII or Confidential Information in public areas if the information can be overheard.  Caution should be used when conducting conversations in semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.
8. Audit Controls: Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use PII must be implemented. Further, procedures must be implemented to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.  These reviews must be documented and maintained for six (6) years. 
9. Evaluation: Tallapoosa County requires that periodic technical and non-technical evaluations be performed in response to environmental or operational changes affecting the security of electronic PII to ensure its continued protection.
10. Contingency Plan: Controls must ensure that Tallapoosa County can recover from any damage to computer equipment or files within a reasonable period of time. Each entity is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain PII, Confidential, or Internal Information.  This will include developing policies and procedures to address the following:
11. Data Backup Plan:
    1. A data backup plan must be documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information.
    2. Backup data must be stored in an off-site location and protected from physical damage.
    3. Backup data must be afforded the same level of protection as the original data.
12. Disaster Recovery Plan: A disaster recovery plan must be developed and documented which contains a process enabling the entity to restore any loss of data in the event of a fire, vandalism, natural disaster, or system failure.
13. Emergency Mode Operation Plan: A plan must be developed and documented which contains a process enabling the entity to continue to operate in the event of fire, vandalism, natural disaster, or system failure.
14. Testing and Revision Procedures: Procedures should be developed and documented requiring periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary.
15. Applications and Data Criticality Analysis: The criticality of specific applications and data in support of other contingency plan components must be assessed and documented.

Compliance

1. The Data Governance and Use Policy apply to all users of Tallapoosa County information including employees, staff, students, volunteers, and outside affiliates. Failure to comply with Information Security Policies and Standards by employees, staff, volunteers, and outside affiliates may result in disciplinary action up to and including dismissal in accordance with applicable Tallapoosa County procedures, or, in the case of outside affiliates, termination of the affiliation. Failure to comply with Information Security Policies and Standards by students may constitute grounds for corrective action in accordance with Tallapoosa County procedures. Further, penalties associated with state and federal laws may apply.
2. Possible disciplinary/corrective action may be instituted for, but is not limited to, the following:
3. Unauthorized disclosure of PII or Confidential Information as specified in Confidentiality Statement.
4. Unauthorized disclosure of a sign-on code (user-id) or password.
5. Attempting to obtain a sign-on code or password that belongs to another person.
6. Using or attempting to use another person's sign-on code or password.
7. Unauthorized use of an authorized password to invade patient privacy by examining records or information for which there has been no request for review.
8. Installing or using unlicensed software on Tallapoosa County computers.
9. The intentional unauthorized destruction of Tallapoosa County information.
10. Attempting to get access to sign-on codes for purposes other than official business, including completing fraudulent documentation to gain access.

 

VIII.   Data  Quality

A proactive approach to data governance requires establishing data quality standards and regular monitoring and updating the data management strategies to ensure that the data are accurate, relevant, timely, and complete for the purposes they are intended to be used. To ensure high-quality data, the following strategies are used to prevent, detect, and correct errors and misuses of data.

1. Data stewards or their designees review student information for accuracy as it is submitted by parents, students, and teachers. This includes grades submitted into the PowerSchool portal.

2. Data stewards or their designees correct data immediately when errors are brought to their attention.

3. Data stewards or their designees allow access to only those individuals with a “need to know” status as determined by data stewards.

1. Data Access

Data Users are expected to respect the confidentiality and privacy of individuals whose records

they access; to observe any restrictions that apply to high-risk data; and to abide by applicable laws, policies, procedures, and guidelines with respect to access, use, or disclosure of information. The unauthorized use, storage, disclosure, or distribution of System Data in any medium is expressly forbidden; as is the access or use of any System Data for one's own personal gain or profit, for the personal gain or profit of others, or to satisfy one's personal curiosity or that of others.

Each employee at the system will be responsible for being familiar with the System’s Data Governance Policy and these security measures as they relate to his or her position and job duties. It is the express responsibility of authorized users and their respective supervisors to safeguard the data they are entrusted with, ensuring compliance with all aspects of this policy and related procedures.

Employees, whether or not they are authorized users, are expressly prohibited from installing any program or granting any access within any program to high risk without notifying the Technology Coordinator.

Violations of these data security measures may result in the following sanctions:

• loss of data access privileges,
• administrative actions,
• and/or personal civil and/or criminal liability.

 

PowerSchool -Student Management System

Certain individuals have a right to access student data, including both personally identifiable information and aggregate level data. These categories of people are outlined as follows:

 

Administrative Rights View all PII at the system or school level	Grades and Low Risk Demographics	Census Information/Low-Risk Demographics	Health Information & Demographics	Demographics and Lunch Information
System Level Superintendent System Coordinators Principals Counselors School Level Assistant Principals RTI coordinator Secretaries	Teachers	Librarians Data Clerks	Nurses	Lunchroom Manager

 

Parent Access

Parents are given access to some of their child’s current educational records (grades, schedule, attendance, discipline) through the PowerSchool home portal. Log-in information is given to the parent when they present in person to sign for a user name and password. Passwords are changed upon initial login to the portal.

Assessment Data

The system test coordinator is the data steward of all student assessment data. Building Test Coordinators at each school (counselors) are given rights to enter students into online portals for testing and to retrieve, disseminate and house student assessment data in the guidance office in filing cabinets and cumulative student folders. All personnel who are given rights to online assessment results sign test security agreements and confidentiality over the web statements when given access.

Special Education

Special Education data is housed in SETSWEB and in special education files at the board office and in each case manager’s room under lock and key. After a certain number of years, pertinent data from special education files are sent to the school building level to be filed in respective cumulative files. The System Special Education coordinator is in charge of how information is collected, stored, disseminated, and destroyed. A Special Education Secretary assists the coordinator and is privy to all special education information. Case managers at the school level have access to IEP’s and all other special education records through SETSWEB. Counselors are given access to SETSWEB on a view-only basis. Teachers have access to IEPs and must sign to verify that they have received them and will keep them confidential.

Cumulative Student Records

Student cumulative files are housed in the guidance office. Files are sent up to the next school from feeder schools (i.e., 5th-grade files are sent to middle school at the end of the year and 8th-grade files are sent to high school). Certified staff and office personnel such as secretaries and data clerks have access to student files if they need to retrieve personal information for parents or postsecondary institutions upon written request by the student/parent (if a child is under 18).  For testing and to retrieve, disseminate, and house student assessment data in the guidance office in filing cabinets and cumulative student folders. All personnel who are given rights to online assessment results sign test security agreements and confidentiality over the web statements when given access.

Child Nutrition Information

Child nutrition information is housed within an onsite program called PCS Revenue Control System (Fastrak) Free/reduced lunch status is also stored in PowerSchool and in hard copies which are housed in the lunchroom manager’s office. A child nutrition coordinator oversees the management of student data for the system.

APPENDIX

Acquisition of Software Procedures

Appendix A

The purpose of the Acquisition of Software Procedures is to:

• Ensure proper management of the legality of information systems,
• Allow all academic disciplines, administrative functions, and athletic activities the ability to utilize proper software tools,
• Minimize licensing costs,
• Increase data integration capability and efficiency of Tallapoosa County Schools (TCS) as a whole, and
• Minimize the malicious code that can be inadvertently downloaded.

1. Software Licensing:

1. All district software licenses owned by TCS will be:

• kept on file at the central office,
• accurate, up to date, and adequate, and
• in compliance with all copyright laws and regulations

1. All other software licenses owned by departments or local schools will be:

• kept on file with the department or local school technology office,
• accurate, up to date, and adequate, and
• in compliance with all copyright laws and regulations

1. Software installed on TCS technological systems and other electronic devices:

• will have proper licensing on record,
• will be properly licensed or removed from the system or device, and
• will be the responsibility of each TCS employee purchasing and installing to ensure proper licensing

1. Purchased software accessed from and storing data in a cloud environment will have a Memorandum of Agreement (MOA) on file that states or confirms at a minimum that:

• TCS student and/or staff data will not be shared, sold, or mined with or by a third party,
• TCS student and/or staff data will not be stored on servers outside the US unless otherwise approved by Tallapoosa County Schools’ Data Governance Committee,
• the company will comply with TCS guidelines for data transfer or destruction when the contractual agreement is terminated, and
• No API will be implemented without the full consent of TCS and the ALSDE.

1. Software with or without physical media (e.g. downloaded from the Internet, apps, or online) shall still be properly evaluated and licensed if necessary and is applicable to this procedure.  It is the responsibility of staff to ensure that all electronic resources are age-appropriate, FERPA compliant, and are in compliance with software agreements before requesting use.  Staff members are responsible for ensuring that parents have given permission for staff to act as their agents when creating student accounts for online resources.
3. Supported Software:

 

In an attempt to prevent software containing malware, viruses, or other security risks, the software is categorized as Supported and Not Supported Software.  For software to be classified as Supported Software downloads and/or purchases shall be approved by the district technology director or designees such as a local school technology coordinator or member of the technical staff.

 

1. A list of supported software will be maintained on the TCS District Technology site. 
2. It is the responsibility of the TCS Technology Team members to keep the list current and for staff to submit apps or other software to the Technology Team.
3. Unsupported software is considered New Software and shall be approved or it will not be allowed on TCS-owned devices.
4. When staff recommends apps for the TCS Mobile Device Management Apps Catalog or software for installation, it is assumed that the staff has properly vetted the app or software and that it is instructional sound, is in line with curriculum or behavioral standards, and is age-appropriate.
5. Software that accompanies adopted instructional materials will be vetted by the Curriculum and Instruction Director and the Technology Director and is therefore supported.

 

1. New Software:

In the Evaluate and Test Software Packages phase, the software will be evaluated against current standards and viability of implementation into the TCS technology environment and the functionality of the software for the specific discipline or service it will perform.

1. An evaluation may include but is not limited to the following:

• Conducting beta testing.
• Determining how the software will impact the TCS technology environment such as storage, bandwidth, etc.
• Determining hardware requirements.
• Determining what additional hardware is required to support a particular software package.
• Outlining the license requirements/structure, number of licenses needed, and renewals.

2. Determining any Maintenance Agreements including cost.

• Determining how the software is updated and maintained by the vendor.
• Determining to fund for the initial purchase and continued licenses and maintenance.

1. When staff recommends apps for the TCS Mobile Device Management Apps Catalog or software for purchase and/or testing, it is the responsibility of the appropriate staff to properly vet the app or software to ensure that is instructional sound, is in line with curriculum or behavioral standards, and is age-appropriate.

 

 Virus, Malware, Spyware, Phishing and SPAM Protection

Appendix B

Virus, Malware, and Spyware Protection

Tallapoosa County Schools desktops, laptops, and fileservers run the Microsoft Endpoint Protection software.  Virus definitions are updated daily and an on-access scan is performed on all “read” files continuously.  A full scheduled scan runs every day at 9:00 a.m. or at the next time the computer/laptop is turned on.  A full scheduled scan is performed on all fileservers daily at 9:00 a.m.  

 Internet Filtering

Student learning using online content and social collaboration continues to increase.   Tallapoosa County Schools views Internet filtering as a way to balance safety with learning—letting good content, resources, and connections in while blocking the bad. To balance educational Internet resources and app use with student safety and network security, the Internet traffic from all devices that authenticate to the network is routed through the Lightspeed Rocket filter using the user’s network credentials.  For companion devices and guest devices, users see a “pop-up screen” that requires them to log in to the Lightspeed Rocket Internet filter with his/her network credentials or a guest login and password to gain access to the Internet.  This process sets the filtering level appropriately based on the role of the user, such as student, staff, or guest, and more specifically for students, the grade level of the child.  All sites that are known for malicious software, phishing, spyware, etc. are blocked.

Phishing and SPAM Protection
Email is filtered for viruses, phishing, spam, and spoofing using Alabama Super Computer Mail Watch.

Security Patches

Windows security patches and other Windows patches are scheduled to “auto-download” and “auto-install.”  Fileservers are scheduled to “auto-download” and are manually updated after which the fileserver is manually rebooted. 

Purchasing and Disposal Procedures

Appendix C

 

This procedure is intended to provide for the proper purchasing and disposal of technological devices only. Any computer, laptop, mobile device, printing and/or scanning device, network appliance/equipment, AV equipment, server, internal or external storage, communication device, or any other current or future electronic or technological device may be referred to as systems in this document.    For further clarification of the term technological systems contact the Tallapoosa County Schools’ (TCS) district Technology Director.

 

All involved systems and information are assets of Tallapoosa County Schools and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software-based.

 

1. Purchasing Guidelines

All systems that will be used in conjunction with Tallapoosa County Schools’ technology resources or purchased, regardless of funding, shall be purchased from an approved list or be approved by a local school Technology Coordinator and/or the District Technology Director.  Failure to have the purchase approved may result in a lack of technical support, request for removal from premises, or denied access to other technology resources.

 

1. Alabama Competitive Bid Laws

All electronic equipment is subject to Alabama competitive bid laws.  There are several purchasing coops that have been approved for use by the Alabama State Examiners office:  http://www.examiners.state.al.us/purchcoop.aspx.  Generally, for technological devices and services, Tallapoosa County Schools purchase from the Alabama Joint Purchasing Agreement (ALJP):  https://connect.alsde.edu/sites/eia/aljp/SitePages/ALJP%20(Alabama%20K-12%20(IT)%20Joint%20Purchasing)Home. aspx.  In the event that the desired product is not included in one of these agreements, Tallapoosa County Schools bids the item or items using the district’s competitive bid process.  All technological systems, services, etc. over $15,000 purchased with public funds are subject to Alabama’s competitive bid laws.

 

1. Inventory

All technological devices or systems over $500 are inventoried by the Technology Department in accordance with the Tallapoosa County Schools’ Finance Department using the WASP inventory system.  There are some exceptions under $500, as determined by the Technology Director, such as but not limited to companion devices or peripherals that are inventoried.   It is the responsibility of the local school Technology Coordinator to inventory technological systems used in the local school and manages said inventory.  The district technology staff is responsible for ensuring that any network equipment, fileservers, or district systems, etc. are inventoried. 

 

1. Disposal Guidelines

Equipment shall be considered for disposal for the following reasons:

1. End of useful life,
2. Lack of continued need,
3. Obsolescence,
4. Wear, damage, or deterioration,
5. The excessive cost of maintenance or repair. 

The local school principal, Technology Director, and the Director of Finance shall approve school disposals by discard or donation.  Written documentation in the form of a spreadsheet including but not limited to the following shall be provided to the District Technology Office no later than Wednesday at 9:00 a.m. prior to the next Board of Education meeting on the following Monday:

1. Fixed asset tag (FAT) number,
2. Location,
3. Description,
4. Serial number, and
5. Original cost and account code if available.

 

1. Methods of Disposal 

Once the equipment has been designated and approved for disposal, it shall be handled according to one of the following methods.  It is the responsibility of the local school Technology Coordinator to modify the WASP inventory entry to reflect any in-school transfers, in-district transfers, donations, or discards for technological systems.  The district technology staff is responsible for modifying the inventory records to reflect any transfers within the central offices, transfers of central office electronic equipment to local schools, central office donations, or central office discards.

 

1. Transfer/Redistribution

If the equipment has not reached the end of its estimated life, an effort shall be made to redistribute the equipment to locations where it can be of use, first within an individual school or office, and then within the district.  Service requests may be entered to have the equipment moved, reinstalled, and, in the case of computers, laptops, or companion devices, have it wiped and reimaged or configured.

 

2. Discard

All electronic equipment in the Tallapoosa County Schools district shall be discarded in a manner consistent with applicable environmental regulations.  Electronic equipment may contain hazardous materials such as mercury, lead, and hexavalent chromium. In addition, systems may contain Personally Identifiable Information (PII), Confidential, or Internal Information.  Systems shall be wiped clean of this information prior to leaving the school district.

 

A district-approved vendor shall be contracted for the disposal of all technological systems/equipment.  The vendor shall provide written documentation verifying the method used for disposal and a certificate stating that no data of any kind can be retrieved from the hard drive or any other component capable of storing data.

 

Under no circumstances should any technological systems/equipment be placed in the trash.  Doing so may make Tallapoosa County Schools and/or the employee who disposed of the equipment liable for violating environmental regulations or laws.

 

3. Donation

If the equipment is in good working order, but no longer meets the requirements of the site where it is located, and cannot be put into use in another part of a school or system, it may be donated upon the written request of the receiving public school system’s superintendent or non-profit organization’s director.  

 

It shall be made clear to any school or organization receiving donated equipment that TCS is not agreeing to and is not required to support or repair any donated equipment.  It is donated AS IS.

 

TCS staff should make every effort before offering donated equipment, to make sure that it is in good condition and can be re-used.  Microsoft licenses or any other software licenses are not transferred outside the Tallapoosa County School system.  

 

Donations are prohibited to individuals outside of the school system or to current faculty, staff, or students of Tallapoosa County Schools. The donation of or sale of portable technology-related equipment is permissible to retiring employees if the following criteria have been met: 

1. the portable equipment has been used solely by the retiring employee for over two years;
2. the equipment will not be used by the employee assuming the responsibilities of the retiring employee; and
3. the equipment has reached or exceeded its estimated life.

 

All donations and/or sales shall be approved by the Finance Director and Technology Director.

 

1. Required Documentation and Procedures

 

1. For purchases, transfers and redistributions, donations, and disposal of technology-related equipment, it is the responsibility of the appropriate technology team member to create/update the inventory to include previous location, new school and/or room location, and to note the transfer or disposal information.  When discarding equipment, the fixed asset tag is removed from the equipment and turned in with other documentation to the local school bookkeeper.  A spreadsheet export from WASP is sent to the district technology office.  The Technology Director, in turn, submits to the CSFO for approval and to the Superintendent’s Office for Board approval.

 

1. When equipment is donated, a copy of the letter requesting the equipment shall be on file with the district technology office prior to the donation.  Equipment is donated in order of request.

 

1. Any equipment donated shall be completely wiped of all data.  This step will not only ensure that no confidential information is released, but also will ensure that no software licensing violations will inadvertently occur.  For non-sensitive machines, all hard drives shall be fully wiped using a wiping program approved by the district technology office, followed by a manual scan of the drive to verify that zeros were written.

 

1. Any re-usable hardware that is not essential to the function of the equipment that can be used as spare parts shall be removed:  special adapter cards, memory, hard drives, zip drives, CD drives, etc.

 

A district-approved vendor SHALL handle all disposals that are not redistributions, transfers, or donations.  Equipment shall be stored in a central location prior to pick-up.  Summary forms shall be turned into the district technology office and approved by the Finance Director prior to the scheduled “pick up” day.  Mice, keyboards, and other small peripherals may be boxed together and shall not be listed on summary forms.

Password Control Standards

Appendix D

 

The Tallapoosa County Schools Data Governance and Use Policy require the use of strictly controlled passwords for network access and for access to secure sites and information.  In addition, all users are assigned to Microsoft security groups that are managed through Microsoft Group Policies. The security groups include separate groups at each school for Office Staff, Tech Staff, Instructional Staff, Students, and Users. 

 

Password Standards:

1. Users are responsible for complying with the following password standards for network access or access to secure information:
2. Passwords shall never be shared with another person unless the person is a designated security manager.
3. Every password shall, where possible, be changed every 120 days if not more frequently for staff and on an age-appropriate schedule for students.
4. Passwords shall, where possible, have a minimum length of eight (8) characters.
5. When possible, for secure sites and/or software applications, user-created passwords should adhere to the same criteria as required for network access. These criteria are defined in the TCS Network Group Policy Criteria for Passwords and are listed below:

• Shall not contain the user's account name or parts of the user's full name that exceed two consecutive characters
• Contain characters from three of the following four categories:
• English uppercase characters (A through Z)
• English lowercase characters (a through z)
• Base 10 digits (0 through 9)
• Non-alphabetic characters (for example, !, $, #, %)

5. Passwords shall never be saved when prompted by any application with the exception of central single sign-on (SSO) systems as approved by the Technology Department. This feature shall be disabled in all applicable systems.
6. Passwords shall not be programmed into a PC or recorded anywhere that someone may find and use them.
7. When creating a password for secure information or sites, it is important not to use passwords that are easily guessed due to their association with the user (i.e. children’s names, pets’ names, birthdays, etc…). A combination of alpha and numeric characters is more difficult to guess.

 

1. Where possible, system software should enforce the following password standards:
2. Passwords routed over a network shall be encrypted.
3. Passwords shall be entered in a non-display field.
4. System software shall enforce the changing of passwords and the minimum length.
5. System software shall disable the user password when more than five consecutive invalid passwords are given. Lockout time shall be set at a minimum of 30 minutes.
6. System software should maintain a history of previous passwords and prevent there being easily guessed due to their association with the user. A combination of alpha and numeric characters is more difficult to guess.

Tallapoosa County Schools Technological Services and Systems

Memorandum of Agreement (MOA)
Appendix E

THIS MEMORANDUM OF AGREEMENT, executed and effective as of the ___ day of _____________, 20__, by and between _________________, a corporation organized and existing under the laws of _____________ (the “Company”), and TALLAPOOSA COUNTY SCHOOLS (TCS), a public school system organized and existing under the laws of the state of Alabama  (the “School Board”), recites and provides as follows.

Recitals

The Company and the School Board are parties to a certain agreement entitled “_________________________”  hereafter referred to as (the “Agreement”).  In connection with the execution and delivery of the Agreement, the parties wish to make this Memorandum of Agreement (also referred to as MOA or Addendum) a part of the original Agreement in order to clarify and/or make certain modifications to the terms and conditions set forth in the original Agreement.

 

The Company and the School Board agree that the purpose of such terms and conditions is to ensure compliance with the Family Educational Rights and Privacy Act (FERPA) and the overall privacy and security of student Personally Identifiable Information (PII) hereafter referred to as student information and/or data, including but not limited to (a) the identification of the Company as an entity acting for the School Board in its performance of functions that a School Board employee otherwise would perform; and (b) the establishment of procedures for the protection of PII, including procedures regarding security and security breaches.

NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is acknowledged hereby, the parties agree as follows.

Agreement

The following provisions shall be deemed to be included in the Agreement:

Confidentiality Obligations Applicable to Certain TCS  Student Records.  The Company hereby agrees that it shall maintain, in strict confidence and trust, all TCS student records containing personally identifiable information (PII) hereafter referred to as “Student Information”.   Student information will not be shared with any other resource or entity that is outside the intended purpose of the Agreement.

The Company shall cause each officer, director, employee, and other representatives who shall have access to TCS Student Records during the term of the Agreement (collectively, the “Authorized Representatives”) to maintain in strict confidence and trust all TCS Student Information.  The Company shall take all reasonable steps to ensure that no TCS Student information is disclosed to any person or entity except those who (a) are Authorized Representatives of the Company performing functions for TCS under the Agreement and have agreed to be bound by the terms of this Agreement; (b) are authorized representatives of TCS, or (c) are entitled to such TCS student information from the Company pursuant to federal and/or Alabama law. The Company shall use TCS student information, and shall take all reasonable steps necessary to ensure that its Authorized Representatives shall use such information, solely for purposes related to and in fulfillment of the performance by the Company of its obligations pursuant to the Agreement. 

The Company shall:  (a) designate one of its Authorized Representatives to be responsible for ensuring that the Company and its Authorized Representatives maintain the TCS student information as confidential; (b) train the other Authorized Representatives with regard to their confidentiality responsibilities hereunder and pursuant to federal and Alabama law; (c) maintain at all times a list of Authorized Representatives with access to TCS student information.

Other Security Requirements.  The Company shall maintain all technologies, policies, procedures, and practices necessary to secure and protect the confidentiality and integrity of  TCS student information, including procedures to  (a) establish user IDs and passwords as necessary to protect such information; (b) protect all such user passwords from detection and unauthorized use; (c) prevent hostile or unauthorized intrusion that could result in data corruption, or deny service; (d) prevent and detect computer viruses from spreading to disks, attachments to e-mail, downloaded files, and documents generated by word processing and spreadsheet programs; (e) minimize system downtime; (f) notify TCS of planned system changes that may impact the security of TCS data; (g) return or destroy TCS data that exceed specified retention schedules; (h) notify TCS of any data storage outside the US; (i) in the event of system failure, enable immediate recovery of TCS information to the previous business day.  The Company should guarantee that MBS data will not be sold to, accessed by, or moved by third parties.

In the event of a security breach, the Company shall (a) immediately take action to close the breach; (b) notify TCS within 24 hours of Company's first knowledge of the breach, the reasons for or cause of the breach, actions taken to close the breach, and identify the TCS student information compromised by the breach; (c) return compromised TCS data for review; (d) provide communications on the breach to be shared with affected parties and cooperate with TCS efforts to communicate to affected parties by providing TCS with prior review of press releases and any communications to be sent to affected parties; (e) take all legally required, reasonable, and customary measures in working with TCS to remediate the breach which may include toll free telephone support with informed customer services staff to address questions by affected parties and/or provide monitoring services if necessary given the nature and scope of the disclosure; (f) cooperate with TCS by providing information, records and witnesses needed to respond to any government investigation into the disclosure of such records or litigation concerning the breach; and (g) provide TCS with notice within 24 hours of notice or service on Company, whichever occurs first, of any lawsuits resulting from, or government investigations of, the Company's handling of TCS data of any kind, failure to follow security requirements and/or failure to safeguard TCS data.  The Company’s compliance with the standards of this provision is subject to verification by TCS personnel or its agent at any time during the term of the Agreement. Said information should only be used for the purposes intended and shall not be shared, sold, or moved to other companies or organizations nor should other companies or organizations be allowed access to said information.

Disposition of MBS Data Upon Termination of Agreement

Upon expiration of the term of the Agreement, or upon the earlier termination of the Agreement for any reason, the Company agrees that it promptly shall deliver to the School Board, and shall take all reasonable steps necessary to cause each of its Authorized Representatives promptly to deliver to the School Board, all required TCS student data and/or staff data.  The Company hereby acknowledges and agrees that, solely for purposes of receiving access to TCS data and of fulfilling its obligations pursuant to this provision and for no other purpose (including without limitation, entitlement to compensation and other employee benefits), the Company and its Authorized Representatives shall be deemed to be school officials of the School Board, and shall maintain TCS data in accordance with all federal state and local laws, rules and regulations regarding the confidentiality of such records.   The non-disclosure obligations of the Company and its Authorized Representatives regarding the information contained in TCS data shall survive termination of the Agreement.  The Company shall indemnify and hold harmless the School Board from and against any loss, claim cost (including attorneys' fees), or damage of any nature arising from or in connection with the breach by the Company or any of its officers, directors, employees, agents or representatives of the obligations of the Company or its Authorized Representatives under this provision. 

Certain Representations and Warranties.  The Company hereby represents and warrants as follows:  (a) the Company has full power and authority to execute the Agreement and this MOA and to perform its obligations hereunder and thereunder; (b) the Agreement and this MOA constitute the valid and binding obligations of the Company, enforceable in accordance with their respective terms, except as such enforceability may be limited by bankruptcy or similar laws affecting the rights of creditors and general principles of equity; and (c) the Company’s execution and delivery of the Agreement and this Addendum and compliance with their respective terms will not violate or constitute a default under, or require the consent of any third party to, any agreement or court order to which the Company is a party or by which it may be bound.

Governing Law; Venue.  Notwithstanding any provision contained in the Agreement to the contrary, (a) the Agreement shall be governed by and construed in accordance with the laws of the State of Alabama, without reference to conflict of laws principles; and (b) any dispute hereunder which is not otherwise resolved by the parties hereto shall be decided by a court of competent jurisdiction located in the State of Alabama.

 

 

IN WITNESS WHEREOF, the parties hereto have caused this Addendum to be executed by their duly authorized officers effective as of the date first written above.

[COMPANY NAME]

By:_____________________________
            [Name]
            [Title]

 

TALLAPOOSA COUNTY SCHOOLS

 

By:_____________________________

Joseph C. Windle

Superintendent

Tallapoosa County Schools

 

Tallapoosa County School System Public Relations/Communication Plan

What is school public relations?

The role of school public relations is to maintain mutually beneficial relationships between the school district and the many publics it serves. Public Relations are a tool of communication that can be used to inform the community of news and events happening within our school district. A good Public Relations program can ensure that a school district carries out its mission and meets its goals with the support of the faculty, staff, and community.

What are the benefits of the Tallapoosa County Public Relations Program?

 

The Public Relations Program at Tallapoosa County Schools is designed to be a helpful communicator to the public to report positive attributes of the school system: student and faculty achievement, academic and sports achievement, new and upcoming programs within the system and to inform the community of upcoming activities and events within the district that are of importance to parents of students and to the communities that support our school system. 

Tallapoosa County School System Vision Statement:

Our Vision: Tallapoosa County is building students today for a better tomorrow.  

Tallapoosa County School System Mission Statement:

Our Mission: Students achieving at their fullest potential while preparing for success in College, Career, and Life. 

Public Relations Objective:

To develop a public relations/communication program of action that all faculty and staff will embrace so the district will speak with a united voice. This plan, if correctly implemented by all parties, will earn internal and external public understanding, acceptance, and trust that the students in the Tallapoosa County School System are receiving a sound, preparatory education. The plan will also help us to seek and develop effective partnerships with families and community stakeholders in order to promote student achievement.

Desired Outcome:

To develop internal and external awareness of communication that will assist the Tallapoosa County School System in demonstrating to its key stakeholders that their students receive a quality education that will prepare them to be successful in a competitive global environment.

To affirm the school system's commitment to a communication plan that will inform all key stakeholders of the issues facing the Tallapoosa County School System.

 

To develop an understanding of and a commitment to the educational process that puts into practice the mission, goals, beliefs, and shared promises of the school system and facilitates the development of effective partnerships.

Communication Beliefs:

• We believe that the Tallapoosa County School’s faculties deliver effective educational programs that meet all of our students’ needs.
• We believe that the Tallapoosa County School’s faculties and staff are working to provide our children with a safe school environment where they will learn the basic skills needed in a changing world.
• We believe the Tallapoosa County School’s faculties and staff must be unified in their communication regarding the school system and must speak with one voice.
• We believe that it takes the entire Tallapoosa County community to work together to support the development of our children and to prepare them for the future.

Key Stakeholders designated by the Tallapoosa County School System

The Tallapoosa County School System believes that an effective communication/public relations plan should identify overall communication objectives and beliefs that deliver clear, consistent messages to key stakeholders. An effective communication plan will cause parents to become more excited about the academic success of their children. Teachers and students will be able to cope with the challenges of all students becoming successful. This brings a higher quality of living to the community and impacts the economic development in Tallapoosa County.

Stakeholders designated by the Tallapoosa County School System and their role in an effective public relations plan:

School Staff:  Administrators in leadership positions, all staff both certified and classified.

• Faculty and staff should believe that they are the district's most important ambassadors and must speak in a unified voice.
• Faculty and staff should be energized and embrace the challenges of educating students to be life-long learners.
• The Tallapoosa County School System’s mission, goals, and beliefs should be fully understood and internalized by all those who work for the system.
• Faculty and staff should be able to speak clearly regarding the district and school's mission.
• Faculty and staff should feel a sense of satisfaction and pride in celebrating their students’ accomplishments and successes.

Parents/Extended Families: Current and Future Parents, Guardians, and Grandparents:

• Families will realize that students are receiving an education not only in basic skills but also in problem solving and application of key concepts as well as being challenged to stretch themselves beyond their present achievements to learn to apply what they know and think on a higher level.
• Through the celebration of student success, families will see that students are engaged in a challenging, caring, and nurturing school environment in which they are safe physically, mentally, and emotionally.
• Better two-way communication between families and the district/schools will enhance student learning and success.
• Families will have the understanding that the Tallapoosa County Schools are meeting the needs of a changing, global marketplace.
• Because of the ongoing, two-way communication between families and the district, the quality of education in the Tallapoosa County School System will be improved.

General Public:

• Taxpayers who are parents/guardians of students.
• Taxpayers with no children who live in the Tallapoosa County School District.
• Civic/Social Groups
• Tallapoosa County Schools’ Alumni

It is our goal for the community to believe:

• The Tallapoosa County School System is an efficiently run, quality school system that continues to strive toward greater excellence.
• The Tallapoosa County School System is one of the best educational programs in the state and
• The students of the Tallapoosa County School System are excited about learning and;
  therefore, the community must want to be involved with the education of our children.
• The workplace is changing, and the Tallapoosa County Schools are working to prepare their students for the future in a competitive global society.

 Students:

It is our goal for students to understand:

• Education is a priority for becoming a productive citizen.
• Education reform initiatives will better prepare them for a changing workplace.
• Everyone can learn at a higher level given the right curriculum, resources, support, and time.
• That they must assume responsibility and accountability for their own learning by creating a positive self-image, setting goals, and evaluating their progress.

Media:

• Print Media: The Alexander City Outlook, The Dadeville Record, The Tallassee Tribune, Auburn-Opelika News
• Local Television Broadcast: Lake Broadcasting (WAXC) Alexander City, TV Channel 2, Lake Martin Today
• State TV Broadcast: WSFA TV Channel 12, Montgomery, WAKA Channel 8, Montgomery, WTVM Channel 9, Opelika News Room for ABC Channel 9 in Columbus, GA.  
• Radio: WACQ FM/AM Tallassee, AL, WBMN, Alexander City, AL, WTLS FM Tallassee, AL
• School Newsletters
• Internet Resources: Tallapoosa County Schools Website: tallapoosak12.org

It is our goal that all communication efforts show that:

• The Tallapoosa County School System is an efficiently run, quality school district that strives toward greater excellence in all aspects.
• News and activities will be reported from the district and its schools in an open manner with the media.
• Recognition of students, staff, and educational programs should be an important objective of both the Tallapoosa County School System and the media in bringing about a higher quality of life for the area.

Business/Industry:

• Chambers of Commerce.
• Businesses highly involved in economic development in our community such as the Lake Martin Economic Development Alliance.
• Region 5 and Region 8 Workforce Development.
• Tier I and II automobile suppliers, Business /industry in the Auburn-Opelika area, Tallassee, Montgomery and Coosa County.
• Civic Groups: Kiwanis, etc.

It is our goal that the Business Community understands that:

• The Tallapoosa County School System is a quality school system willing to work with all aspects of the community to determine needs for lifelong learning opportunities.
• The Tallapoosa County School System continues to offer some of the best educational programs in the state.
• The Tallapoosa County School System faculty and staff are working within our schools and with the home and community to meet the needs of our customers.
• The Tallapoosa County School System welcomes and seeks the opinion of business persons in the community to collaborate in order to provide a sound curriculum, programs, services, support, and an environment in which students can prepare to be the business leaders of our community, state, and nation. The school system also seeks the development of effective partnerships with business leaders in order to strengthen educational opportunities for our students both in and out of school.

Religious Community:

• Tallapoosa County Ministerial Association, Lee – Macon Ministerial Association
• Individual Churches

It is our goal that the Tallapoosa County religious community understands that:

• Tallapoosa County students are taught in a concerned, caring, sound learning environment with a strong ethical and moral basis.
• Tallapoosa County students are instructed and cared for by upstanding and lawful individuals in a safe environment.
• The Tallapoosa County School System practices a positive and nurturing form of discipline that encourages the growth and development of strong, law-abiding citizens.
• The Tallapoosa County School System strongly speaks out against the use of drugs, alcohol, tobacco, and other addictive drugs and/or practices that are detrimental to student well-being.
• Tallapoosa County School System encourages Student-Led Prayer, Meet at the Flagpole, Fellowship of Christian Athletes, Fifth Quarter, and other events/organizations which promote spiritual development.
• Tallapoosa County students are being prepared to contribute to the total community in the

Government and Social Agencies and Civic Organizations:

• Tallapoosa County Sheriff’s Department, Probate Judge
• DHR, Children’s Advocacy Center, Juvenile Probation, Juvenile Judicial System, Mental Health, Dadeville Kiwanis Club
• Regional/State/National Government
• Lake Martin United Way

It is our goal that both local, state and national government and social agencies and organizations are aware that:

• The Tallapoosa County School System provides children with the necessary skills to function effectively today and in the future.
• The Tallapoosa County School System has a visionary administration, faculty, and staff that seek community support in a spirit of collaboration and networking and in determining the best solutions for allowing all students to be successful mentally, physically, and emotionally in their educational experiences.
• The community has a responsibility to provide additional support to all students to help them be successful in schools.
• The Tallapoosa County School System is providing a quality education that not only meets the needs of the students but also meets the needs of the parents, the community, the workforce, both public agencies and private businesses, and industry and society in general.
• The Tallapoosa County School System will work with all government, community groups, and agencies that provide child and youth services to guarantee that every student and family has the support needed when family resources are limited or inadequate.
• The Tallapoosa County School System will work with outside governmental and social agencies, civic organizations, and other systems in serving the needs of students at all of our schools.

Plan of Action:

Tallapoosa County School System’s Plan of Action

Public Relations Practices and Programs:

In order to enhance the image of the Tallapoosa County School System, increase Community awareness regarding the schools and school activities and programs, and increase Home/Community/School involvement, the Tallapoosa County Schools will adopt the following Public Relations projects to the best of our ability:

1. Continue updating and making use of the district's website at tallapoosak12.org and social media platform to the fullest degree, keeping pages current with students, staff, programs, and community activities.
2. Promote the district's website through publications printed by and for the school system.
3. Conduct school tours for community leaders, elected officials, civic groups, churches, and new members moving into our district in order to promote our school system.
4. Use newspaper and radio ads to promote students and programs in the Tallapoosa County School System.
5. Continue the use of our communication systems so parents can stay informed concerning their children's grades, attendance, etc.
6. Work with local ministers, the Ministerial Associations, and other groups for key Use church bulletins for announcements. Make the Sunday before or after school opens Education Sunday. Have each church emphasize the importance of education and recognize teachers, school staff, students, and parents of students.
7. Provide speakers from the school system to be available to speak at community, business, school, or civic organization programs.
8. Provide packets/folders of publications containing school information upon request to parents, businesses, realtors, etc.
9. Recognize employees during significant dates such as the opening day of school, National
   Education Week, Teacher Appreciation Day, National Secretaries Day, etc.
10. Encourage all schools and staff members to nominate Tallapoosa County employees for local, regional, state, and national awards.
11. Work with the media, Chambers of Commerce, and civic groups to develop education awards at the local level.
12. Work with the media, Chambers of Commerce, and civic groups on joint projects in order to promote the school system and enhance effective partnerships.
13. Use the district website and social media platform to encourage community involvement.
14. Showcase the accomplishments of teachers who use innovative curriculum and who are selected to serve on regional, state, and national committees and boards, in internal and external publications.
15. Invite media to work with school communication contacts on how to best get the stories published. Send monthly calendars of school and district events to all news media to make the community aware of the activities taking place in our system.
16. The public is notified through media of Board of Education meetings. During these meetings, parents and the public should be given opportunities to address the Board and make suggestions or comments.
17. Send district and individual school activity news releases on a frequent and regular basis to all media contacts.
18. Continue to saturate all news media in the Tallapoosa County market with news releases, feature stories, public service announcements, etc. using the mission statement and other information about our schools throughout the school year.
19. In all publication and communication efforts, we will show the public our positive outcomes, not our processes for getting the job done.
20. Conduct public relations workshops during faculty meetings at all schools for faculty, staff, and principals so that they will understand their role as key communicators in Public Relations for the school system.
21. Work with United Way in carrying out community-wide parental education and school-readiness campaigns.
22. Work with schools, churches, and community groups to create a cadre of mentors for students.

Summary

The primary emphasis placed on the Tallapoosa County School System Public Relations/ Communication Plan is to create and maintain an outstanding, positive image that reflects the community's greatest expectations. Another objective of the plan is to create effective communication tools that maintain open channels of communication between the home, community, and schools; and keep all constituents informed of the affairs of the school system. The Tallapoosa County School System is committed to continuing its Public Relations/ Communication Program - continually seeking additional ways to share information with its stakeholders and developing effective partnerships with these individuals, while at the same time, working internally to establish additional programs which will motivate and reward our students and staff.

Promoting our school system instills pride within the students, faculty, staff, parents, community, and all alumni wherever they may be. We must continue to make the commitment of telling the story of the students and faculty in the Tallapoosa County School System.

 

STRATEGIC PLAN 

 

STRATEGIC PLAN

This process began in the fall of 2013 when the Central Office Staff met to review our Vision, Mission, and Beliefs and how we as a staff could add value to the work in the schools.  The process has continued throughout the past school year as we completed our Continuous Improvement Plans and began planning for AdvancED District Accreditation.  This plan aligns with AdvanceED standards, Alabama Plan 2020, Continuous Improvement Plans from each School, and the Capital Improvement Plan.  We look forward to using this plan as a blueprint for accomplishing our Vision for Tallapoosa County Schools over the next five years.

 

VISION

Create a school system worthy of our children:  This means excellence in academics, facilities, technology, fine arts, and extra-curricular activities.

MISSION STATEMENT

The mission of Tallapoosa County Schools is to ensure every student graduate is prepared for success in college, career, and life.

WHAT WE BELIEVE

In order to accomplish our mission, the Tallapoosa County School System is committed to these beliefs:

• We must know our students before we can teach them.
• All people have the right to be safe.
• Strong schools build strong communities.
• Public schools must be competitive.
• Education is a shared responsibility-schools, families, and communities.
• We have a moral obligation to prepare our children for the world they will live in.

GOVERNANCE AND LEADERSHIP

Goal 1.1:  Develop highly qualified, effective, innovative, and committed Board of Education members through ongoing professional development.

Goal 1.2:  Provide qualified, effective, and innovative systems and school leaders.

Goal 1.3:  Provide opportunities and programs to involve students, parents, community members, elected officials, and other appropriate agencies in collaborative efforts to improve school system governance.

Goal 1.4:  Review, revise and maintain effective Board of Education policies on which to base decision-making and consistent implementation of laws, rules, and guidelines.

 

TEACHING AND ASSESSING LEARNING

Goal 2.1:  Provide all students a relevant, rigorous curriculum that will enable them to graduate with the ability to apply their knowledge in college, career, and life.

Goal 2: 2:  Improve student achievement so that all schools continue to reach yearly learning goals and that annual progress is made toward the target graduation rate of 100%.

Goal 2.3:  Recruit and retain innovative, effective, and motivated personnel to meet the needs of the instructional program.

Goal 2.4:  Effectively collect, analyze and use student achievement data for improved teaching and learning.

Goal 2.5:  Expand and develop fine arts instruction opportunities across the system.

 

FACILITIES, RESOURCES, AND SUPPORT SYSTEMS  

Goal 3.1:  Maintain safe and secure learning environments throughout the school system.

3.2:  Provide and maintain facilities based on objective criteria to provide the most appropriate, safe, secure, and attractive environment for all programs.

Goal 3.3:  Secure financial resources necessary to achieve our vision, mission, and goals and use the best management practices to ensure the financial integrity of the school system.

Goal 3.4:  Provide, maintain, and allocate up-to-date technology and other essential equipment and resources to deliver high-quality instruction; to provide effective communication; and, to support student achievement.

Goal 3.5:  Effectively collect, analyze, and use financial, demographic, and resource data to guide fiscal decision-making and planning.

Goal 3.6:  Provide and maintain efficient transportation, health/wellness, and nutrition services to support high-quality instruction and student achievement.

 

COLLABORATION, COMMUNICATION, AND CONTINUOUS IMPROVEMENT

Goal 4.1:  Effectively use continuous improvement and accreditation monitoring plans to increase student achievement; evaluate school system success; and, guide decision-making.

Goal 4.2:  Effectively implement Response to Instruction, Strategic Teaching, Co-Teaching, and Project Based Instruction to improve planning, collaboration, student engagement, and student learning.  

Goal 4.3:  Establish, expand and maintain collaborative relationships with workforce development agencies, business–industry groups, families, and post-secondary institutions to maximize student success.

Goal 4.4:  Effectively disseminate, publish and provide access to school system data (achievement, fiscal, climate, safety, etc) to all stakeholders to provide accountability, enhance creditability, and improve support for programs.

Goal 4.5:  Effectively monitor, evaluate and report on the school system Strategic Plan. 

STRATEGIC DELIMITERS

We will not initiate any new program or service unless:

• It is consistent with and contributes to our mission.
• It is accompanied by the training, staff development, and resources needed to assure its effectiveness.
• We can effectively inspect what we expect to gain from the program or service.