System Security Policy

The Governing Board and staff of the Stark/Portage Area Computer Consortium recognize that data maintained by the SPARCC Data Acquisition Site (DAS) is the legal property of the school district which entered such data or to which such data is assigned. SPARCC, therefore, is a holder in public trust of the data. The Board adopts the following policy statements concerning access to and security of the data. These statements are intended to assure the inviolability of the data, provide for procedures to permit access to data, and recommend features which districts and SPARCC can implement to promote system and data security.

Data Access

Data maintained by the SPARCC Data Acquisition Site (DAS) shall be recognized as the property of the district and under the control of the district for purposes of access. Access to the data shall be granted and follows:

District personnel receive access upon the written authorization of the District’s Superintendent and Treasurer. Such access may be restricted (as may be practical or technically possible) to certain data sets and /or specific access types. SPARCC shall provide a standard form for authorization.

SPARCC staff has access when such access is within the scope of their assigned duties, but only as may be necessary to maintain the data structure, research and correct problems, and provide backup capabilities.

SPARCC will not under any circumstances provide outside access to a district’s data. However, SPARCC is required by the State Department of Education to send aggregated EMIS data as per their requirements.
Security Recommendations

The first point of security is access to the computer system and its data via the local network or users. To enhance security and reduce the risk of unauthorized access, the following guidelines shall be followed:

Each account will be assigned to a primary user who will be held responsible for its use.

Each user account shall require a password with a minimum of six characters. This password shall be treated as confidential information by the users; no list of passwords shall be maintained by SPARCC or the District.

All users will be required by the system to change their password at least every 90 days with the exception of “free internet accounts” which must have passwords assigned by SPARCC and shall be changed at least every year.

A review of user account activity will be performed quarterly by SPARCC staff. User accounts that have not been accessed in the previous 180 days will be disabled.

Users shall be granted only those privileges consistent with the duties and responsibilities of their position. Authorized privileges shall be grouped into either a “normal” or “extended” category; “normal” privileges are granted by the system when a user logs onto the system and represent the privileges required to perform the users normal duties; “extended” privileges are those privileges which the user may be authorized to use, but which must be specifically enabled by the user before being utilized.

Access to the computer system via an electronic network outside the SPARCC area will be restricted to the minimum level of access necessary for authorized users. No “general access” accounts shall be maintained.

Access to privileged or system accounts shall only occur with the authorization of the SPARCC Director. Following outside access to a privileged account, the account password shall be changed to prevent further access without SPARCC staff knowledge.

Sufficient audit alarms shall be enabled to track attempts to break into a user or system account and other security related events. The audit log shall be reviewed daily for suspicious entries and a record kept of actions taken regarding such entries.

In all events, the SPARCC Director shall have the authority and responsibility to take actions necessary to insure the integrity of the data and security of the computer system or to enable district users to utilize the computer system to fulfill the duties associated with their position.