The Amherst County Public Schools (ACPS) cyber security program is a documented set of security policies, procedures, guidelines, and standards. Our security program should provide a roadmap for effective security management practices and controls. Having a strong security program helps an organization ensure the confidentiality, integrity, and availability of client and customer information, as well as the organization’s private data through effective security management practices and controls.

• Confidentiality – Concerned with controlling access to data so that only authorized users can access or modify it.
• Integrity – Focuses on keeping data clean and untainted, both in when the data is in use and when it’s stored. Users should be able to trust that data was not modified except by those who are authorized.
• Availability – While confidentiality is about making sure that only the people who need to access the data can get to it, availability is about making sure that it’s easy to access that data should an authorized person need to.
• ACPS shall focus on student data but all data is important (staff, community, etc).
• Breach notification - ACPS shall report any breach of personal identifying information of Virginia residents to the VA Attorney General’s office. ACPS shall report breach of student PII to their parents. ACPS must report even if the PII comes from a cloud hosting provider.
• Ransomware notification - If a victim of ransomware, ACPS shall report it immediately to CISA or a local FBI Field Office.
• Review and audit - IT shall review web server logs, apply web server updates and we have a next generation firewall. We recently had an external test and only one issue was found. Now that our new websites are hosted in the cloud, we have closed the one issue.
• Security Awareness Training - Email training sent twice a year. Work in monthly Superintendent meetings to stress paranoia to the small group of administrators.
• Data Retention and Disposition - ACPS shall erase or destroy hardware elements that contain data.
• Data Sharing - ACPS utilizes the Sample data privacy agreement created by the student data privacy consortium (SDPC). In addition, the SDPC and its members have already done the hard work of vendor compliance with many of the major EdTech vendors.  In our school division, we need only reference the previous agreements and state that we expect the vendor to follow the same rules with our division.
  • Another resource available is the Virginia Student Privacy Alliance (VSPA). The VSPA has a model or standard data privacy agreement. ACPS only needs to fill out the blank agreement form and both sides sign off. The VSPA also has signed agreements from specific vendors and other Virginia school districts. If our families want to know what data is being shared, we can provide the DPA to them. This agreement also references other laws such as FERPA and Virginia codes such as 22.1-289.01.
  • In addition to vendor relationships, internal users should be keenly aware of the type of student information they can share with others.  Student data is a protected asset and should be treated with the utmost respect.  Establish policies that govern data sharing and dissemination. Here’s a simple one pager and 5 tips for teachers and protecting student data.
• Network segmentation of HVAC and other systems needs to be done.
• Hardware/Software Useful Lifetime and Replacement Schedules - In today's security environment, we must learn to let go of older technology. In most cases, a lifespan of 3-5 years is appropriate. Remind budget committees that replacement of older technology is not a wish item. It's security, it's policy, and it's necessary.
• Board and Leadership Support - We must convince the Board that technology has a useful lifespan, and that the division has agreed to the terms of that lifespan. When leadership is on your side, you are protected.
• Inventory - Best practice is to inventory down to details such as the BIOS version on laptops, desktops, and servers. We will not be able to record this level of detail but we do have inventory information.
• Software Approval Process - Properly vette software and focus on the DPA.
• Patch Management - Stress to staff the importance about installing patches and allowing the technicians to update their computers.
• Anti Virus/Anti Malware - Monitor and keep our Endpoint protection up to date.
• Disable Auto Run - This has been rolled out across the ACPS computer system.
• Hard Drive Encryption - Information and Technology is deploying bitlocker to key personnel such as principals and other administrators.

Contact Information and Resources:

• Dean Johnson, Director of Threat Management: dean.johnson@vita.virginia.gov
• Computer Crime Section at 804-786-2071
• US Department of Education Protecting Student Privacy
• CyberSecurity & Infrastructure Security Agency #StopRansomware Guide
• CyberSecurity & Infrastructure Security Agency Cybersecurity Best Practices
• The K-12 Cybersecurity Reouces Center
• K-12 Security Information eXchange (K12 SIX)
• Center for Internet Security
• IAPP
• Cybersecurity for K-12 Schools and School Districts: Developing a Cyber Annex Fact Sheet 
• K-12 BluePrint Security Toolkit
• Virginia Fusion Center (contact the Fusion Center if we think we were compromised)

Introduction

This document is the disaster recovery plan for Amherst County Public Schools, Technology Support Group. The information present in this plan guides administrators and technical staff in the recovery of computing and network facilities operated by ACPS in the event that a disaster destroys all or part of the facilities.

Description

The Recovery plan is composed of a number of sections that document resources and procedures to be used in the event that a disaster occurs at any ACPS location. Each supported computing platform has a section containing recovery procedures. There are also sections that document the personnel that will be needed to perform the recovery tasks and an organizational structure for the recovery process.

General Information About The Plan

Over the years, dependence upon the use of computers in the day-to-day business activities of many organizations has become the norm. Amherst County Public Schools certainly is no exception to this trend. These machines are linked together by a sophisticated network that provides communications with other machines across our locations and around the world. Vital functions of ACPS depend on the availability of this network of computers.

Consider for a moment the impact of a disaster that prevents the use of the system to process Student Registration, Payroll, Accounting, or any other vital application for weeks. Students and faculty rely upon our systems for instruction and research purposes, all of which are important to the well-being of ACPS. It is hard to estimate the damage to the Division that such an event might cause. One tornado properly placed could easily cause enough damage to disrupt these and other vital functions of the Division. Without adequate planning and preparation to deal with such an event, the Division’s central computer systems could be unavailable for many weeks.

Primary Focus of the Plan

The primary focus of this document is to provide a plan to respond to a disaster that destroys or severely cripples the Division’s central computer systems. The intent is to restore operations as quickly as possible with the latest and most up-to-date data available.

All disaster recovery plans assume a certain amount of risk, the primary one being how much data is lost in the event of a disaster. Disaster recovery planning is much like the insurance business in many ways. There are compromises between the amount of time, effort, and money spent in the planning and preparation of a disaster and the amount of data loss you can sustain and still remain operational following a disaster. Time enters the equation, too. Many organizations simply cannot function without the computers they need to stay in business. So their recovery efforts may focus on quick recovery, or even zero down time, by duplicating and maintaining their computer systems in separate facilities.

The techniques for backup and recovery used in this plan do NOT guarantee zero data loss. The Division's administration is willing to assume the risk of data loss and do without computing for a period of time in a disaster situation.

Data recovery efforts in this plan are targeted at getting the systems up and running with the last available off-site backup. Significant effort will be required after the system operation is restored to (1) restore data integrity to the point of the disaster and (2) to synchronize that data with any new data collected from the point of the disaster forward.

This plan does not attempt to cover either of these two important aspects of data recovery. Instead, individual users and departments will need to develop their own disaster recovery plans to cope with the unavailability of the computer systems during the restoration phase of this plan and to cope with potential data loss and synchronization problems.

Primary Objectives of the Plan

This disaster recovery plan has the following primary objectives:

1. Present an orderly course of action for restoring critical computing capability to the ACPS Division.
2. Set criteria for making the decision to recover at a cold site or repair the affected site.
3. Describe an organizational structure for carrying out the plan.
4. Provide information concerning personnel that will be required to carry out the plan and the computing expertise required.
5. Identify the equipment, floor plan, procedures, and other items necessary for the recovery

The ACPS Incident Response Plan identifies the following ACPS Division Leaders to be assigned specific tasks and to be prepared to discover even more tasks:

• Superintendent or Designee - Communications/Public Relations, Board Liaison, and Legal
• Chief Academic Officer or Designee - Technical, Customer Support, and Auditing
• Chief Operations Officer or Designee - Technical, Customer Support, Law Enforcement Liaison, and Auditing