Frederick County Public Schools would develop and implement an information security program to protect student and employee data, under a new policy being considered.
The Frederick County Board of Education expressed initial support for the policy and its aligning regulations at a worksession on Wednesday.
The proposed policy is in response to a data breach that FCPS became aware of last September that compromised the names, Social Security numbers, and birth dates of about 1,000 students in the school system in 2005-06. The breach occurred before 2010, school officials said at the time.
The new policy, which the board moved to a second reading, states that the superintendent is responsible for developing a set of regulations along with a “Written Information Security Program,” or WISP, for staff to maintain using FCPS information systems.
The school system already had guidelines and practices in place for response, but the new policy and regulations are more formal and thorough.
“I think we had a moment where we realized our posture was prepared but reactive after the data breach this year,” said Liz Barrett, school board vice president. “This policy, the data security policy, is designed to emphasize comprehensive preparedness, including the responsibility of all staff for data security.”
The security program “will address data privacy, incident response planning, acceptable use of technology, and information technology security awareness training,” according to the policy.
The WISP itself was not immediately available, and Superintendent Terry Alban and Director of Technology Infrastructure Edward Gardner did not immediately respond to a request for comment on the security program. But the regulations developed by Alban and Gardner provide information that the WISP will include.
For example, the WISP includes guidelines to mitigate and communicate risks for FCPS student and staff information systems, and will meet an “acceptable minimum level of IT security controls and data privacy practices.”
The policy will also include increased training for employees on how to treat sensitive information. Employees had been trained on data privacy in the past, Barrett said, but new training will be more frequent and more intensive.
“The IT staff is rolling out new training and proactive communication and reminders to employees about their roles in data security,” Barrett said. Staff will continue to be trained in things such as encrypting email and protecting personally identifiable information, Barrett added.
In January, the board discussed bringing in a contractor to help test the district’s data security. The request for proposals would have required the contractor to perform quarterly tests of what access the public has to data and to mobile and web-based applications. It’s unclear whether an expert was ever hired or will be in the future.