CQB(LEGAL) - TECHNOLOGY RESOURCES: CYBERSECURITY

Cybersecurity Policy

  1. Secure district cyberinfrastructure against cyber attacks and other cybersecurity incidents; and
  2. Determine cybersecurity risk and implement mitigation planning.

Cybersecurity Coordinator

Report to TEA

Report to Parent

Definitions

Breach of System Security

Cyber Attack

Cybersecurity

Cybersecurity Training

  1. Verify and report on the completion of a cybersecurity training program by district employees to the DIR; and
  2. Require periodic audits to ensure compliance with these provisions.

District Training Program

Security Breach Notification

To Individuals

Resident of Other State

To the Owner or License Holder

Notice

  1. Written notice at the last known address of the individual;
  2. Electronic notice, if the notice is provided in accordance with 15 U.S.C. Section 7001 (electronic records and signatures); or
  3. If the district demonstrates that the cost of providing notice would exceed $250,000, the number of affected persons exceeds 500,000, or the district does not have sufficient contact information, by:
    1. Electronic mail, if the district has electronic mail addresses for the affected persons;
    2. Conspicuous posting of the notice on the district's website; or
    3. Notice published in or broadcast on major statewide media.

Information Security Policy

To the Attorney General

  1. A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;
  2. The number of residents of this state affected by the breach at the time of notification;
  3. The measures taken by the district regarding the breach;
  4. Any measures the district intends to take regarding the breach after the notification described at Notice, above; and
  5. Information regarding whether law enforcement is engaged in investigating the breach.

To a Consumer Reporting Agency

Criminal Investigation Exception

Definitions

Breach of System Security

Sensitive Personal Information

  1. An individual's first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
    1. Social security number;
    2. Driver's license number or government-issued identification number; or
    3. Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or
  2. Information that identifies an individual and relates to:
    1. The physical or mental health or condition of the individual;
    2. The provision of health care to the individual; or
    3. Payment for the provision of health-care to the individual.

Cybersecurity Information Sharing Act

Removal of Personal Information

  1. Review such indicator to assess whether it contains any information not directly related to a cybersecurity threat that the district knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or
  2. Implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the district knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.

Definitions

Cybersecurity Purpose

Cybersecurity Threat

Cyber Threat Indicator

  1. Malicious reconnaissance, as defined in 6 U.S.C. 1501(12), including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
  2. A method of defeating a security control or exploitation of a security vulnerability;
  3. A security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
  4. A method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
  5. Malicious cyber command and control, as defined in 6 U.S.C. 1501(11);
  6. The actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
  7. Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
  8. Any combination thereof.

Defensive Measure

Information System

Security Control

Security Vulnerability

Celeste ISD

CQB(LEGAL)-P

UPDATE 115

DATE ISSUED: 7/9/2020