• Purpose of the information security regulations

    The purposes of the information security regulations are:

    • Maintain confidentiality, integrity and availability of the Plano Independent School District's electronic communication and data management systems, including, without limit, its telephone system, managed computers, computer networks, electronic mail systems, videoconferencing systems, cloud services, and its Internet and intranet access capabilities (referred throughout as the “System”).
    • Comply with applicable laws and regulations.
    • Foster responsible use of the System by building a culture of information security risk awareness and mitigation. 

     

    General

    • The district will use a layered approach of security controls, hardware/software inventory, secure baseline configuration, patching, monitoring, protection, detection, and authentication to ensure overall security of the System.
    • Security reviews of servers, firewalls, routers, monitoring platforms, backups, and audit logs must be conducted on a regular basis. 
    • Anti-malware software must be installed on all servers and user devices where appropriate for malware defense. 
    • Next-gen Firewall must be implemented at all network ingress and egress points for access control and threat prevention. 
    • The network must be segmented by function and sensitivity to limit threat lateral movement and reduce the impact of security incidents. 
    • Email security solutions must be in place to provide protection from phishing and spam emails.
    • Centralized logging and monitoring via a Security Information and Event Management (SIEM) system must be implemented to detect and respond to potential threats in real-time. 
    • Vulnerability and risk assessment tests of the System must be conducted on a regular basis.
    • Routine system and data backups must be performed. Backups must be periodically tested to ensure functionality. 
    • Disaster recovery plan, recovery prioritization, and the security of backup data must be maintained. 
    • Incident response plan must be maintained, and regular tabletop exercises must be conducted.
    • Cybersecurity awareness and education must be implemented to ensure that users understand their shared responsibility of protecting the district's data, network and system resources.
    • Violation of the Information Security Regulations may result in disciplinary actions as authorized by the district in accordance with district disciplinary policies, procedures, and codes of conduct.

     

    Acceptable Use

    • Access to the System shall be made available to students and employees primarily for educational and administrative purposes.
    • Access to the System is a privilege, not a right. Users must comply with all administrative regulations and guidelines.
    • The District reserves the right to use the System for purposes as it sees fit and reserves the right to monitor all activity on the System, including individual user accounts.  District may monitor use, including appropriate use, at any time to ensure appropriate use for educational or administrative purposes and/or compliance with District policy. 
    • The District’s System will only be used for learning, teaching, and administrative purposes consistent with the District’s mission and goals. Commercial use of the District’s System is strictly prohibited. The System may not be used for illegal purposes, in support of illegal activities, or for any other activity prohibited by District Policy or guidelines.
    • System users will immediately notify a campus administrator or the System administrator or the Technology Services if a potential security problem is suspected or exists.
    • System users must not download, install or run any programs or utilities on their systems except those authorized and installed by the IT Department and specifically designed to conduct the business of the District.  All software must be reviewed for network and hardware compatibility by the IT Department prior to authorization of purchase, donation or use by the Administration. Unauthorized software is subject to removal upon discovery.
    • All enterprise architecture, roadmap, and emerging technology must be reviewed for network, hardware and security compliance by the IT Department prior to authorization of purchase, donation or use by the Administration.
    • All software and hardware changes must be reviewed by the IT Department for authorization. 
    • Any attempt to harm or destroy the System, District equipment or data, the data of another user of the District’s System, or the data of the agencies or other networks that are connected to the Internet, are prohibited.
    • System users should be mindful that use of school-related electronic mail addresses might result in some recipients or other readers of that mail to assume the System user represents the District or school, whether or not that was the user’s intention.
    • We each have a responsibility for ensuring the District's system and data are protected from unauthorized access and improper use. 

     

    Data Security

    • Confidential Data or other information essential to the mission of the District should be stored on a District-managed network server and cloud storage when possible, rather than on District-owned desktop workstations, laptops, or portable devices. “Confidential Data” shall include, but is not limited to, the following: student data, educational records, employee data, metadata, user content, course content, materials, and any and all data and information that the District maintains.
    • Sensitive and protected district data must be encrypted, using secure protocols/algorithms, at-rest and in transport.
    • Users shall not disclose confidential District data except as permitted or required by law and only as part of their official duties on behalf of the District. . 
    • Forgery or attempted forgery of electronic mail messages or misrepresentation of the identity of a sender is prohibited.
    • The District shall preserve and destroy documents, including electronically stored information according to procedures developed by the records management officer.
    • District shall require electronic recyclers to erase all data on all hard drives on (all) computer equipment to the latest Department of Defense (Dod 5220.22-M) specifications and provide the district with a Certificate of Destruction which verifies the same.
    • All messages, files and documents – including personal messages, files and documents – located on the District System are owned by the District, may be subject to open records requests, and may be accessed in accordance with this policy.
    • System users may not gain unauthorized access to System and/or District resources or information. Unauthorized access or attempts to access the System are strictly prohibited and will result in appropriate disciplinary action. 
    • Users may not store Confidential District Data with an unauthorized third-party storage service (often referred to as "cloud" storage) or on their personal devices.
    • All third-party providers are required to comply with the District Data Sharing Agreement.

     

    Access Control

    • Access privileges will be assigned to users to provide the minimum necessary permission to perform job responsibilities. 
    • Network accounts will be assigned to individuals, except when a shared account is justified by the functions being performed. Accounts designed specifically for a shared purpose or specific system task, such as facilitating data backups or scheduled batch processing, will be granted only in cases when absolutely necessary and will be shared with as few individuals as necessary to effectively perform District operations. 
    • Users may not share individually-assigned access control devices (e.g. door access badges, and/or door keys) unless necessary to preserve life safety. 
    • Users must create password(s) that meet the District's password complexity requirements. 
    • Users should protect their password(s) and should not disclose their passwords to any other person to help ensure the security and integrity of the System. No user should attempt to gain access to another user’s electronic mailbox, telephone voicemail box, computer files, or Internet account unless expressly authorized to do so by the user whose systems are being accessed, or by an authorized representative of the District. Any user who receives information such as electronic mail messages in error should not read the message, but should instead return the message to the sender and delete the message immediately.
    • Account credentials should not be hard coded into scripts, software code, or system configurations. When hard coding credentials is deemed necessary, system owners will store these files securely and will maintain sufficient documentation to allow periodic manual changes to passwords or other credentials.
    • When employment relationships are subject to change or termination, responsible management will participate in checkout processes defined by Human Resources to ensure timely disabling of system access.
    • District may disable user network access based on a reasonable indication that the account has been disclosed to, or compromised by, a malicious party. 
    • District may require multi-factor-authentication(MFA) for all remote, administrative, and application access where technically feasible. 
    • All third-party providers are required to comply with District security policies and standards.

     

    Exemptions

    • Compliance with all elements of this regulation may not be possible in some situations given the tradeoffs between risk, cost, and operational impact. Users may request exemptions to elements of this regulation from the Assistant Superintendent for Technology Services. When applicable, the requester will be asked to accept risks associated with non-compliance. Exemption requests should include an explanation of why compliance with specific regulation elements is not feasible and should describe compensating controls that are in place to reduce risk. Approved exemptions will include an expiration date. 

     

    Reporting an Incident

    • Report any cybersecurity issues/incidents to

    Plano ISD Help Desk
    helpdesk@pisd.edu
    469-752-8767

     

    Information Security Regulations are regularly reviewed by the IT Department and updated to address evolving threats and align with the district’s operational and security needs. 

    Last updated on 4/16/2025