FILE:  EFC

 

BUSINESS CONTINUITY AND TECHNOLOGY DISASTER RECOVERY

 

 

The Avoyelles Parish School Board recognizes the importance of maintaining and protecting computer hardware and software, including necessary equipment and supplies to maintain computer operations in the event of a disaster.  The School Board shall authorize the Superintendent and/or his/her designee to maintain appropriate regulations and procedures for the proper usage of School Board owned or leased computer equipment and the protection of electronic media, applications, and stored user data.

 

Such regulations and procedures shall assure that:

 

  1. All electronic devices (computers, servers, mobile devices, printers, appliances, etc.) receive available system and software patches, firmware and other updates in a timely manner.

  2. All electronic devices (computers, servers, mobile devices, tablets, etc.) should have licensed anti-virus software and be automatically updated daily by the software vendor where applicable.

  3. Data critical to daily operations is identified and documented.

  4. Backup frequency objectives are clearly defined and procedures are in place to verify the backups are occurring.

  5. Backups may be stored locally but should also reside in a separate physical location isolated from the local network where backups are occurring (offsite and/or cloud, etc.).

  6. Periodic testing and verification should be performed to ensure that backups can be restored within the recovery time objective (RTO) as defined by the School Board.

  7. A Business Continuity and Technology Disaster Recovery Plan shall be created that clearly establishes actions to be taken before, during, and after an occurrence, undesirable event, or disaster.  The Plan shall be developed, defined, and tested at regular intervals in order to restore critical functions and reestablish normal operations within the RTO (Recovery Time Objective) established by the School Board.

 

PATCH MANAGEMENT

 

The security of computer systems is critical to the continued operations of the School Board.  A consistent and comprehensive patch management procedure will substantially reduce risks such as viruses, malware, ransomware, and various cyber-crimes that target un-patched systems.  Patch management shall be handled in accordance with the standard procedures outlined in the Business Continuity and Technology Disaster Recovery Plan.  Exceptions to the standard procedure may be permitted when justified.  Any exceptions must be fully documented.  The standard procedure for patch management shall include the following:

 

 

 

 

ANTI-VIRUS

 

A comprehensive anti-virus deployment substantially reduces risks such as viruses, malware, ransomware, and various cyber-crimes that target systems without protection.  Anti-virus deployment shall be handled in accordance with the standard procedures outlined in the Business Continuity and Technology Disaster Recovery Plan.  Exceptions to the standard procedures may be permitted when justified.  Any exceptions shall be fully documented.  The standard procedure for anti-virus deployment shall include the following:

 

 

 

 

 

 

BACKUP - IDENTIFICATION OF DATA

 

Important and/or critical data as defined by the Avoyelles Parish School Board in the Business Continuity and Technology Disaster Recovery Plan includes the following file types:

 

 

Picture/movie files such as (.bmp, .jpeg, .jpg, .tiff, .mpeg, .wav, .mp3, etc.) shall not be backed up unless special circumstances arise.  Permission shall be directed to the Technology Department to request backup of these file types.

 

BACKUP – FREQUENCY AND STORAGE

 

Backup of all important and/or critical computer data shall be handled in accordance with the standard procedures outlined by the Technology Department.  Exceptions to the standard procedures may be permitted when justified.  Any exceptions must be fully documented.  The standard procedure for systems backup shall be as follows:

 

 

 

 

 

 

 

BACKUP – VERIFICATION AND TEST RESTORES

 

The Technology Department shall be responsible for establishing procedures to verify backups and perform test restores on files and systems.  The standard procedure for verification and testing shall include:

 

 

BACKUP – RESTORATION OF FILES

 

Active files that are accidentally damaged or deleted can normally be restored from backup within one working day provided the Technology Department is notified in a timely manner.  Files can only be restored to the state they were in at the time the most recent relevant backup was taken.

 

Accounting systems can be activated under the Business Continuity and Technology Disaster Recovery Plan established with the software vendor in a timeline established by the software vendor.

 

BUSINESS CONTINUITY AND TECHNOLOGY DISASTER RECOVERY PLAN

 

In the event of an occurrence, undesirable event or disaster (“event”), the restoration of computing services is critical to the continued operations of the School Board.  A Business Continuity and Technology Disaster Recovery Plan shall be created that clearly establishes actions in preparation of an event, procedures to follow during an event, and the review and recommendations that should occur after the event.  Business Continuity and Technology Disaster Recovery shall be handled in accordance with the standard procedures outlined by the Technology Department.  Exceptions to the standard procedures may be permitted when justified.  Any exceptions must be fully documented and approved by the School Board.  The standard procedures for Business Continuity and Technology Disaster Recovery shall include:

 

 

CYBERSECURITY TRAINING

 

The School Board shall identify employees or School Board members who have access to the School Board's information technology assets and require those employees and School Board members to complete cybersecurity training.  Each School Board member or employee with access to the School Board’s information technology assets shall complete this training within the first thirty (30) days of initial service or employment with the agency.

 

The Superintendent shall verify and report to the Department of State Civil Service on the completion of cybersecurity training by employees.  The Superintendent shall periodically require an internal review to ensure compliance.

 

The School Board shall require any contractor who has access to School Board information technology assets to complete cybersecurity training during the term of the contract and during any renewal period.

 

Completion of cybersecurity shall be included in the terms of a contract awarded by a state or local government agency to a contractor who has access to its information technology assets.

 

The person who oversees contract management for the School Board shall report each such contractor's completion to the Superintendent and periodically review agency contracts to ensure compliance.  The Superintendent shall verify and report to the Department of State Civil Service on the completion of cybersecurity training by each such contractor.

 

New policy:  December 1, 2020

 

 

Ref:    La. Rev. Stat. Ann. §§17:81, 42:1267

Board minutes, 12-1-20

 

Avoyelles Parish School Board