Some of the following information is pertinent only to Arizona school districts. Please see your auditor or consultant for additional information about its applicability to your organization.
Q: What are good password requirements and how often should passwords be changed?
A: Password requirements should include minimum length requirements, requirements to use upper and lower case alphanumeric characters as well as special characters, ($,!,#, etc.). Should not allow a previously used password, and if possible have system automatically check passwords against lists of most-common or especially weak passwords and disallow use of those.
IT policies and procedures
Q: What should the District’s IT policies and procedures include?
A: The following list of policy topics is not intended to be exhaustive, so a district may have additional policy needs. Only after evaluating current systems and processes will a district be able to determine exactly what policies and procedures it needs to help secure its IT resources. Further resources available include but are not limited to, Control Objectives for Information and Related Technology (COBIT), National Institute of Standards and Technology (NIST), Federal Information System Controls Audit Manual (FISCAM), and the International Organization for Standardization (ISO).
Some policy topics a district should address include the following:
- Data privacy, security, and access to data and systems, including data backup, remote access, and wireless networks.
- General IT security, including user password security, device security settings, etc.
- Logging and monitoring of key activities on systems and networks.
- Appropriate use of the Internet and district e-mail systems.
- Use of Student Information System.
- Use of Accounting Information System.
- Disaster recovery planning
Disaster recovery plan
Q: What should a disaster recovery plan include?
A: Since a district uses technology systems to perform many business operations, it is critical to ensure that the IT systems are available and running effectively. IT Disaster Recovery Planning involves analyzing business functions and the IT systems, data, and resources necessary to support those business functions in case of emergencies or disasters and determining methods to restore full functionality. Such emergencies can include both natural disasters and human-error incidents.
The items necessary for each plan may vary by entity, but some basic DRP components include the following:
- Identification of critical equipment, data, and resources, including off-site locations to store backup data and maintain. redundant system resources to allow for emergency data processing.
- Contact list of key individuals with their roles and responsibilities.
- Procedures for regularly backing up systems and data and regularly testing backups.
- Procedures for activating the DRP, notifying appropriate parties, and assessing the severity of the disruption and the required response.
- Steps and procedures for restoring systems to full functionality.
- Supporting information as necessary to ensure a comprehensive plan such as business impact analysis, vendor contact information, etc.
- Conducting regular tests to ensure all areas are performing as required.
Q: Who should be involved in determining user roles and how should they be determined?
A: User roles should be used to restrict access to the least privilege necessary. In essence it ensures users are provided access to only resources and data required to perform their jobs, but are restricted from resources that are not necessary to their job function. For example a payroll clerk would likely not need to create purchase orders as part of their job function and therefore a payroll clerk user role would not include access to create or approve purchase orders. User roles and access would be impacted by the size of the district. Decisions on who needs what access would best be made by administration with input from department heads and IT.
The content of this page is for general information purposes only and does not constitute advice. Heinfeld, Meech & Co., P.C. tries to provide content that is true and accurate as of the date of writing; however, we give no assurance or warranty regarding the accuracy, timeliness, or applicability of any of the contents.