Texas Cybersecurity Framework Mapping for Plano ISD Information Security Regulations

This page provides a comprehensive mapping between Plano Independent School District's Information Security Regulations and the Texas Cybersecurity Framework (TCF). This mapping demonstrates how the district's security regulations align with state-recommended cybersecurity practices. 

 

IDENTIFY Function

Control#1. Identify: Privacy & Confidentiality

Users shall not disclose confidential District data except as permitted or required by law and only as part of their official duties on behalf of the District. (Data Security)

Control#2. Identify: Data Classification

"Confidential Data" shall include, but is not limited to, the following: student data, educational records, employee data, metadata, user content, course content, materials, and any and all data and information that the District maintains. (Data Security)

Control#3. Identify: Critical Information Asset Inventory

The district will use a layered approach of security controls, hardware/software inventory, secure baseline configuration, patching, monitoring, protection, detection, and authentication to ensure overall security of the System. (General)

Control#4. Identify: Enterprise Security Policy, Standards and Guidelines

Maintain confidentiality, integrity and availability of the Plano Independent School District's electronic communication and data management systems, including, without limit, its telephone system, managed computers, computer networks, electronic mail systems, videoconferencing systems, cloud services, and its Internet and intranet access capabilities. (Purpose)

Control#5. Identify: Control Oversight and Safeguard Assurance

Security reviews of servers, firewalls, routers, monitoring platforms, backups, and audit logs must be conducted on a regular basis. (General)

Control#6. Identify: Information Security Risk Management

Vulnerability and risk assessment tests of the System must be conducted on a regular basis. (General)

Control#7. Identify: Security Oversight and Governance

Foster responsible use of the System by building a culture of information security risk awareness and mitigation. (Purpose)

Control#8. Identify: Security Compliance and Regulatory Requirements Mgmt

Comply with applicable laws and regulations. (Purpose)

Control#9. Identify: Cloud Usage and Security

Confidential Data or other information essential to the mission of the District should be stored on a District-managed network server and cloud storage when possible, rather than on District-owned desktop workstations, laptops, or portable devices. (Data Security)

Control#10. Identify: Security Assessment and Authorization/Technology Risk Assessments

Vulnerability and risk assessment tests of the System must be conducted on a regular basis. (General)

Control#11. Identify: External Vendors and Third Party Providers

All software must be reviewed for network and hardware compatibility by the IT Department prior to authorization of purchase, donation or use by the Administration. Unauthorized software is subject to removal upon discovery. (Acceptable Use)

All third-party providers are required to comply with the District Data Sharing Agreement. (Data Security)

Control#43. Identify: Secure Application Development

Not Applicable as the District does not develop applications in-house

Control#44. Identify: Beta Testing

Not Applicable as the District does not develop applications in-house

Control#45. Identify: Penetration Testing

Vulnerability and risk assessment tests of the System must be conducted on a regular basis. (General)

Control#46. Identify Vulnerability Testing

Vulnerability and risk assessment tests of the System must be conducted on a regular basis. (General)

 

PROTECT Function

Control#12. Protect: Enterprise Architecture, Roadmap & Emerging Technology

All enterprise architecture, roadmap, and emerging technology must be reviewed for network, hardware and security compliance by the IT Department prior to authorization of purchase, donation or use by the Administration.(Acceptable Use)

Control#13. Protect: Secure System Services, Acquisition and Development

All software must be reviewed for network and hardware compatibility by the IT Department prior to authorization of purchase, donation or use by the Administration. Unauthorized software is subject to removal upon discovery. (Acceptable Use)

Control#14. Protect: Security Awareness and Training

Cybersecurity awareness and education must be implemented to ensure that users understand their shared responsibility of protecting the district's data, network and system resources. (General)

Control#15. Protect: Privacy Awareness and Training

Cybersecurity awareness and education must be implemented to ensure that users understand their shared responsibility of protecting the district's data, network and system resources. (General)

Control#16. Protect: Cryptography

Sensitive and protected district data must be encrypted, using secure protocols/algorithms, at-rest and in transport. (Data Security)

Control#17. Protect: Secure Configuration Management

The district will use a layered approach of security controls, hardware/software inventory, secure baseline configuration, patching, monitoring, protection, detection, and authentication to ensure overall security of the System. (General)

Control#18. Protect: Change Management

All software and hardware changes must be reviewed by the IT Department for authorization. (Acceptable Use)

Control#19. Protect: Contingency Planning

Disaster recovery plan, recovery prioritization, and the security of backup data must be maintained. (General)

Control#20. Protect: Media

District shall require electronic recyclers to erase all data on all hard drives on (all) computer equipment to the latest Department of Defense (Dod 5220.22-M) specifications and provide the district with a Certificate of Destruction which verifies the same. (Data Security)

Control#21. Protect: Physical and Environmental Protection

Users may not share individually-assigned access control devices (e.g. door access badges, and/or door keys) unless necessary to preserve life safety. (Access Control)

Control#22. Protect: Personnel Security

When employment relationships are subject to change or termination, responsible management will participate in checkout processes defined by Human Resources to ensure timely disabling of system access. (Access Control)

Control#23. Protect: Third-Party Personnel Security

All third-party providers are required to comply with all security policies and standards. (Access Control)

All third-party providers are required to comply with the District Data Sharing Agreement. (Data Security)

Control#24. Protect: System Configuration Hardening & Patch Management

The district will use a layered approach of security controls, hardware/software inventory, secure baseline configuration, patching, monitoring, protection, detection, and authentication to ensure overall security of the System. (General)

Control#25. Protect: Access Control

Access privileges will be assigned to users to provide the minimum necessary permission to perform job responsibilities. (Access Control)

Control#26. Protect: Account Management

Network accounts will be assigned to individuals, except when a shared account is justified by the functions being performed. Accounts designed specifically for a shared purpose or specific system task, such as facilitating data backups or scheduled batch processing, will be granted only in cases when absolutely necessary and will be shared with as few individuals as necessary to effectively perform District operations. (Access Control)

Control#27. Protect: Security Systems Management

Security reviews of servers, firewalls, routers, monitoring platforms, backups, and audit logs must be conducted on a regular basis. (General)

Control#28. Protect: Network Access and Perimeter Controls

Next-gen Firewall must be implemented at all network ingress and egress points for access control and threat prevention. (General)

The network must be segmented by function and sensitivity to limit threat lateral movement and reduce the impact of security incidents. (General)

Control#29. Protect: Internet Content Filtering

The District's System will only be used for learning, teaching, and administrative purposes consistent with the District's mission and goals. Commercial use of the District's System is strictly prohibited. (Acceptable Use)

Control#30. Protect: Data Loss Prevention

Users may not store Confidential District Data with an unauthorized third-party storage service (often referred to as "cloud" storage) or on their personal devices. (Data Security)

Control#31. Protect: Identification & Authentication

Users must create password(s) that meet the District's password complexity requirements. Users should protect their password(s) and should not disclose their passwords to any other person to help ensure the security and integrity of the System. (Access Control)

Control#32. Protect: Spam Filtering

Email security solutions must be in place to provide protection from phishing and spam emails. (General)

Control#33. Protect: Portable & Remote Computing

Users may not store Confidential District Data with an unauthorized third-party storage service (often referred to as "cloud" storage) or on their personal devices. (Data Security)

Control#34. Protect: System Communications Protection

The district will use a layered approach of security controls, hardware/software inventory, secure baseline configuration, patching, monitoring, protection, detection, and authentication to ensure overall security of the System. (General)

Sensitive and protected district data must be encrypted, using secure protocols/algorithms, at-rest and in transport. (Data Security)

Control#42. Protect: Systems Currency

The district will use a layered approach of security controls, hardware/software inventory, secure baseline configuration, patching, monitoring, protection, detection, and authentication to ensure overall security of the System. (General)

 

DETECT Function

Control#35. Detect: Vulnerability Assessment

Vulnerability and risk assessment tests of the System must be conducted on a regular basis. (General)

Control#36. Detect: Malware Protection

Anti-malware software must be installed on all servers and user devices where appropriate for malware defense. (General)

Control#37. Detect: Security Monitoring and Event Analysis

Centralized logging and monitoring via a Security Information and Event Management (SIEM) system must be implemented to detect and respond to potential threats in real-time. (General)

Control#41. Detect: Audit Logging

Security reviews of servers, firewalls, routers, monitoring platforms, backups, and audit logs must be conducted on a regular basis. (General)

 

RESPOND Function

Control#38. Respond: Cyber-Security Incident Response

Incident response plan must be maintained, and regular tabletop exercises must be conducted. (General)

Report any cybersecurity issues/incidents to Plano ISD Help Desk helpdesk@pisd.edu 469-752-8767. (Reporting an Incident)

Control#39. Respond: Privacy Incident Response

Incident response plan must be maintained, and regular tabletop exercises must be conducted. (General)

Report any cybersecurity issues/incidents to Plano ISD Help Desk helpdesk@pisd.edu 469-752-8767. (Reporting an Incident)

 

RECOVER Function

Control#40. Recover: Disaster Recovery Procedures

Disaster recovery plan, recovery prioritization, and the security of backup data must be maintained. (General)

Routine system and data backups must be performed. Backups must be periodically tested to ensure functionality. (General)

 

Last updated on 04/17/2025