CQB(LEGAL) - TECHNOLOGY RESOURCES: CYBERSECURITY

Cybersecurity Policy

  1. Secure district cyberinfrastructure against cyber attacks and other cybersecurity incidents; and
  2. Determine cybersecurity risk and implement mitigation planning.

Cybersecurity Coordinator

Report to TEA

Report to Parent

Definitions

Breach of System Security

Cyber Attack

Cybersecurity

Cybersecurity Training

  1. Verify and report on the completion of a cybersecurity training program by district employees to the DIR; and
  2. Require periodic audits to ensure compliance with these provisions.

District Training Program

Security Breach Notification

To Individuals

Resident of Other State

To the Owner or License Holder

Notice

  1. Written notice at the last known address of the individual;
  2. Electronic notice, if the notice is provided in accordance with 15 U.S.C. Section 7001 (electronic records and signatures); or
  3. If the district demonstrates that the cost of providing notice would exceed $250,000, the number of affected persons exceeds 500,000, or the district does not have sufficient contact information, by:
    1. Electronic mail, if the district has electronic mail addresses for the affected persons;
    2. Conspicuous posting of the notice on the district's website; or
    3. Notice published in or broadcast on major statewide media.

Information Security Policy

To the Attorney General

  1. A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;
  2. The number of residents of this state affected by the breach at the time of notification;
  3. The measures taken by the district regarding the breach;
  4. Any measures the district intends to take regarding the breach after the notification described at Notice, above; and
  5. Information regarding whether law enforcement is engaged in investigating the breach.

To a Consumer Reporting Agency

Criminal Investigation Exception

Definitions

Breach of System Security

Sensitive Personal Information

  1. An individual's first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
    1. Social security number;
    2. Driver's license number or government-issued identification number; or
    3. Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or
  2. Information that identifies an individual and relates to:
    1. The physical or mental health or condition of the individual;
    2. The provision of health care to the individual; or
    3. Payment for the provision of health-care to the individual.

Cybersecurity Information Sharing Act

Removal of Personal Information

  1. Review such indicator to assess whether it contains any information not directly related to a cybersecurity threat that the district knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or
  2. Implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the district knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.

Definitions

Cybersecurity Purpose

Cybersecurity Threat

Cyber Threat Indicator

  1. Malicious reconnaissance, as defined in 6 U.S.C. 1501(12), including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
  2. A method of defeating a security control or exploitation of a security vulnerability;
  3. A security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
  4. A method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
  5. Malicious cyber command and control, as defined in 6 U.S.C. 1501(11);
  6. The actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
  7. Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
  8. Any combination thereof.

Defensive Measure

Information System

Security Control

Security Vulnerability

Access to Electronic Communications

Electronic Communication Privacy Act

  1. Intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any wire, oral, or electronic communication;
  2. Intentionally uses, endeavors to use, or procures any other person to use or endeavor to use any electronic, mechanical, or other device to intercept any oral communication when:
    1. Such device is affixed to, or otherwise transmits a signal through, a wire, cable, or other like connection used in wire communication; or
    2. Such device transmits communications by radio, or interferes with the transmission of such communication; or
    3. Such person knows, or has reason to know, that such device or any component thereof has been sent through the mail or transported in interstate or foreign commerce; or
    4. Such use or endeavor to use takes place on the premises of any business or other commercial establishment the operations of which affect interstate or foreign commerce; or obtains or is for the purpose of obtaining information relating to the operations of any business or other commercial establishment the operations of which affect interstate or foreign commerce; or
    5. Such person acts in the District of Columbia, the Commonwealth of Puerto Rico, or any territory or possession of the United States;
  3. Intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the prohibited interception of a wire, oral, or electronic communication;
  4. Intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the prohibited interception of a wire, oral, or electronic communication; or
  5. Intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, intercepted by means authorized by 18 U.S.C. 2511(2)(a)(ii), 2511(2)(b)–(c), 2511(2)(e), 2516, and 2518; knowing or having reason to know that the information was obtained through the interception of such a communication in connection with a criminal investigation; having obtained or received the information in connection with a criminal investigation; and with intent to improperly obstruct, impede, or interfere with a duly authorized criminal investigation.

Stored Wire and Electronic Communications and Transactional Records Access Act

Exceptions

  1. By the person or entity providing a wire or electronic communications service;
  2. By a user of that service with respect to a communication of or intended for that user; or
  3. By sections 18 U.S.C. 2703, 2704, or 2518.

Definitions

Electronic Communication

Electronic Storage

  1. Any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
  2. Any storage of such communication by an electronic communication service for purposes of backup protection of such communication.

Electronic Communications System

Electronic Communication Service

Facility

Person

Dayton ISD

CQB(LEGAL)-P

UPDATE 114

DATE ISSUED: 11/18/2019