CQB(LEGAL) - TECHNOLOGY RESOURCES: CYBERSECURITY

Cybersecurity

Policy

  1. Secure district cyberinfrastructure against cyber attacks and other cybersecurity incidents; and
  2. Determine cybersecurity risk and implement mitigation planning.

Cybersecurity Coordinator

Cyber Attack or Cybersecurity Incident

Report to TEA

Report to Parent

Definitions

Breach of System Security

Cyber Attack

Cybersecurity

Training

Requirements

  1. Identify district employees and elected and appointed board members who have access to a district computer system or database and use a computer to perform at least 25 percent of the employee's or board member's required duties; and
  2. Require the employees and board members identified under item 1 to complete a cybersecurity training program certified under Government Code 2054.519 (state-certified cybersecurity training programs).

Denial of Access

Exceptions

  1. Granted military leave;
  2. Granted leave under the federal Family and Medical Leave Act of 1993 (29 U.S.C. Section 2601 et seq.);
  3. Granted leave related to a sickness or disability covered by workers' compensation benefits, if that employee no longer has access to the district's database and systems;
  4. Granted any other type of extended leave or authorization to work from an alternative work site if that employee no longer has access to the district's database and systems; or
  5. Denied access to a district's computer system or database by the board or the board's designee for noncompliance with the requirements of item 2 at Training, Requirements, above.

Program

  1. Verify and report on the completion of a cybersecurity training program by district employees and board members to the DIR; and
  2. Require periodic audits to ensure compliance with these provisions.

Security Breach Notification

To Individuals

Resident of Other State

To the Owner or License Holder

Notice

  1. Written notice at the last known address of the individual;
  2. Electronic notice, if the notice is provided in accordance with 15 U.S.C. Section 7001 (electronic records and signatures); or
  3. If the district demonstrates that the cost of providing notice would exceed $250,000, the number of affected persons exceeds 500,000, or the district does not have sufficient contact information, by:
    1. Electronic mail, if the district has electronic mail addresses for the affected persons;
    2. Conspicuous posting of the notice on the district's website; or
    3. Notice published in or broadcast on major statewide media.

Information Security Policy

To the Attorney General

  1. A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;
  2. The number of residents of this state affected by the breach at the time of notification;
  3. The number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification;
  4. The measures taken by the district regarding the breach;
  5. Any measures the district intends to take regarding the breach after the notification described at Notice, above; and
  6. Information regarding whether law enforcement is engaged in investigating the breach.

To a Consumer Reporting Agency

Criminal Investigation Exception

Definitions

Breach of System Security

Sensitive Personal Information

  1. An individual's first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
    1. Social security number;
    2. Driver's license number or government-issued identification number; or
    3. Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or
  2. Information that identifies an individual and relates to:
    1. The physical or mental health or condition of the individual;
    2. The provision of health care to the individual; or
    3. Payment for the provision of health-care to the individual.

Cybersecurity Information Sharing Act

Removal of Personal Information

  1. Review such indicator to assess whether it contains any information not directly related to a cybersecurity threat that the district knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or
  2. Implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the district knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.

Definitions

Cybersecurity Purpose

Cybersecurity Threat

Cyber Threat Indicator

  1. Malicious reconnaissance, as defined in 6 U.S.C. 1501(12), including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
  2. A method of defeating a security control or exploitation of a security vulnerability;
  3. A security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
  4. A method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
  5. Malicious cyber command and control, as defined in 6 U.S.C. 1501(11);
  6. The actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
  7. Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
  8. Any combination thereof.

Defensive Measure

Information System

Security Control

Security Vulnerability

Clifton ISD

CQB(LEGAL)-P

UPDATE 118

DATE ISSUED: 10/29/2021