VHCS Data Governance Policy 4.10

Protecting the privacy of students' and staff data is an important priority, and Vestavia Hills City Schools (VHCS) is committed to maintaining strong and meaningful privacy and security protections. The privacy and security of this information are a significant responsibility, and school officials value the trust of students, staff, parents, legal guardians, and the community. For this document “data” and “information” may be used interchangeably and refer to PII, confidential, sensitive and/or other internal information that would require protection against unauthorized access, disclosure, alteration, or destruction to ensure the privacy, integrity, and security of student, staff, and district records in compliance with applicable laws, regulations, and district policies.

The VHCS Data Governance policy includes information regarding the Data Governance Committee, the actual VHCS Data and Information Governance Policy, and references relevant documents for clarification and training.

The policy defines how VHCS ensures its data remains accurate, accessible, consistent, and secure during operations and instruction.  The document establishes who is responsible for information under various circumstances and specifies the procedures to be used to manage and protect it.

The Data Governance Committee and the Technology Director are responsible for reviewing the relevant documents referenced annually and ensuring that all staff are trained in Data Governance.  

2025-2026 VHCS District Data Governance Committee

Dr. Todd Freeman, Superintendent 

Whit McGhee, Director of Public Relations

Meredith Hanson, Executive Director of Personnel

Brooke Wedgworth, Director of Elementary Curriculum and Instruction

Brendan Lovelady, Director of Technology/Chief Technology Officer

Dena Fore, Data Administrator

Lee Dansby, Assistant Director of Technology

Jamie Underwood, Assistant Principal - Vestavia Hills Elementary Dolly Ridge

Kim Polson, Principal - Vestavia Hills Elementary Cahaba Heights

Cindy Echols, Principal - Vestavia Hills Elementary East

Susan McCall, Principal - Vestavia Hills Elementary West

Malorie Bryan, Teacher - Vestavia Hills Elementary West

Tiffany Marron, Principal - Vestavia Hills Elementary Liberty Park

Joshua Smith, Teacher - Vestavia Hills Elementary Liberty Park

Laura Ezell, Library Media Specialist - Liberty Park Middle School

Alicia Hunsberger, Principal - Pizitz Middle School

Laura Casey, Assistant Principal - Vestavia Hills High School

Amy Tucker, Teacher - Vestavia Hills High School

Lauren Dressback, Principal - Alternative Placement Program

The Data Governance committee shall meet, at a minimum, two times per year to review this policy, application requests, and to ensure alignment of this policy with district goals.

Additional meetings shall be called as needed, and additional staff invited as needed.

Policy
It is the policy of VHCS that data or information in all its forms (written, spoken, electronic, or printed) is protected from accidental or intentional unauthorized modification, destruction, or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment, software, and practices used to process, store, and transmit data or information.

The data governance policies and procedures must be documented and reviewed.

VHCS conducts annual training on its data governance policy and documents.

The terms “data” and “information” are used separately, together, and interchangeably throughout the policy. The intent is the same.

Scope

The Superintendent is authorized to establish, implement, and maintain data and information security measures. The Superintendent may also designate other individuals to assist in establishing, implementing, and maintaining data and information security measures. The policy, standards, processes, and procedures apply to all students and employees of the district, contractual third parties and agents of the district, and volunteers who have access to district data systems or data. This policy and all of its appendices apply to all protected information in any form.

This policy applies to all forms of VHCS’ data and information, including but not limited to:

• Speech or any form of communication, spoken face-to-face, or communicated by post/courier, fax, email, text, chat, any form of social media, online applications, etc., or any future technologies;
• Hard copy data printed or written;
• Data stored and/or processed by on-premise servers, cloud services/storage, PC’s, laptops, tablets, mobile devices, removable media, and any future technologies

Regulatory Compliance

VHCS will abide by any local, state, and national law, statutory, regulatory, or contractual obligations affecting its information systems, including, but not limited to, the following:

• Children’s Internet Protection Act (CIPA)
• Children’s Online Privacy Protection Act (COPPA)
• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)
• Protection of Pupil Rights Amendment (PPRA)
• AL House Bill 166 - FOCUS Act
• Alabama Data Breach Notification Act of 2018 (Acts 2018-396)

Risk Management

A thorough risk analysis of all VHCS’ data networks, systems, policies, and procedures shall be conducted on an annual basis or as requested by the Superintendent. The risk assessment shall be used as a basis for a plan to mitigate identified threats – internal or external, natural or man-made, electronic and non-electronic, and risk to an acceptable level.

The Superintendent or designee shall administer periodic risk assessments to identify, quantify, and prioritize risks. Based on the periodic assessment, measures shall be implemented that mitigate the threats by reducing the amount and scope of the vulnerabilities.

*See Document B. Risk Management Practices

Data Classification

Classification is used to promote proper controls for safeguarding the confidentiality of data. Regardless of classification, the integrity and accuracy of all classifications of data are protected. The classification assigned and the related controls applied are dependent on the sensitivity of the data. Data are classified according to the most sensitive detail they include. Data recorded in several formats (e.g., source document, electronic record, report) have the same classification regardless of format.

*See Document D. Data Classification Levels

Systems, Software, Access, and Information Control

Systems. Any computer, cloud services, laptop, Chromebook, iPad, mobile device, printing and/or scanning device, network appliance/equipment, security cameras, and other security equipment, AV equipment, server, internal or external storage, communication device or any other current or future electronic or technological device may be referred to as systems. All involved systems and data are assets of VHCS and therefore shall be protected from misuse, unauthorized access, or manipulation, and destruction. These protection measures may be physical and/or software based.

*See Document H. Physical and Security Controls

Software. All computer software developed by or used by VHCS employees, students or contract personnel on behalf of VHCS, licensed or purchased for VHCS use shall not be copied for use at home or at any other location, unless otherwise specified by the license agreement and approved by the VHCS Data Governance Committee.

 

All software packages installed on, accessed by, or utilized on VHCS technological systems must adhere to relevant licensing agreements and restrictions and comply with VHCS’ established software acquisition and application (app) vetting procedures.  

*See Document F. Software Acquisition Procedures

                                                                            

Artificial Intelligence (AI) Use Guidelines regarding Data Privacy. Guidelines are established to outline the responsible use, management, and oversight of Artificial Intelligence (AI) within VHCS to ensure data privacy, security, ethical use, and compliance with applicable regulations. These guidelines apply to all AI systems, applications, and tools used within VHCS, including but not limited to AI-driven analytics, automated decision-making tools, and AI-enhanced educational technologies.

*See Document M. Artificial Intelligence (AI) Use Guidelines Regarding Data Privacy

Virus, Malware, Spyware, Phishing, Ransomware, and Spam Protection. Virus checking systems approved by the VHCS’ District Technology Department are deployed using a multi-layered approach (computers, servers, gateways, firewalls, filters, etc.) to ensure all electronic files are appropriately scanned for viruses, malware, spyware, phishing, and spam.

*See Document G. Virus, Spyware, and Malware Protection

Cybersecurity Measures. Clear cybersecurity measures to safeguard information from unauthorized access, misuse, or breaches are critical.  These layered security protocols help ensure compliance with federal and state privacy laws and provide a secure digital environment for staff and students.  We continually monitor all cybersecurity measures to promote trust, reduce risk, and support the safe use of educational technologies.  These measures include but are not limited to the following:

• Redundant next-generation firewalls at both the Board of Education data center and school sites
• Endpoint Detection and Response (EDR) on all VHCS owned devices.
• Software-as-a-service (SaaS) provided content filtering for all VHCS owned devices
• Principle of Least Privilege for mission-critical hardware and software
• Automated user provisioning and deprovisioning for enhanced security of accounts

 Users shall neither turn off nor disable VHCS’ protection systems or install other systems. 

*See Document G. Virus, Spyware, and Malware Protection

 

Access Controls. Physical and electronic access to information systems that contain data are controlled. To ensure appropriate levels of access by internal workers, a variety of security measures are instituted as recommended by the Data Governance Committee and approved by VHCS. In particular, the Data Governance Committee shall document roles and rights to the student information system and other like systems. Mechanisms to control access to data and computing resources include, but are not limited to, the following methods:

Authorization. Access shall be granted on a “need to know” basis. It shall be authorized by the superintendent, principal, immediate supervisor, or Data Governance Committee with the assistance of the Director of Technology or designee. Specifically, on a case-by-case basis, permissions may be added to those already held by an individual user in the student management system, again on a need-to-know basis, and only to fulfill specific job responsibilities, with approval of the Data Governance Committee. 

• Context-based access. Access control based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The “external” factors might include time of day, location of the user, strength of user authentication, etc. 

• Role-based access. An alternative to traditional access-control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization’s structure and business activities. Each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role. 

• User-based access. A security mechanism is used to grant users of a system access based on the identity of the user. 

*See Document H. Physical and Security Controls

 

Identification/Authentication. Unique user identification (User ID) and authentication are required to access any and all systems. Users shall be held accountable for all actions performed on the system with their User ID. User accounts and passwords shall NOT be shared. Strictly controlled passwords, biometric identification, and/or Token, PIN, or MFA are used to secure authentication. Only that user and possibly a designated security manager have access to the authentication controls. 

*See Document I. Password and Authentication Control Standards

Data Integrity. VHCS provides safeguards so that information is not altered or destroyed in an unauthorized manner. Core data are backed up to a private cloud for disaster recovery. In addition, listed below are methods that are used for data integrity in various circumstances: 

 

• Transaction audit 
• Disk redundancy (RAID) 
• ECC (Error Correcting Memory) 
• Checksums (file integrity) 
• Data Encryption 
• Data Wipes 

 

Transmission Security. Technical security mechanisms are in place to guard against unauthorized access to data that are transmitted over a communications network, including wireless networks or transferred by any means. The following features are implemented when transferring data electronically.

 

• Integrity controls and 
• Encryption, where deemed appropriate 
• Access control lists 
• Encrypted and decrypted certificates for authentication
• Secure File Transfer Protocols
• OneRoster v1.2 standard API controls
• Data masking

* See Document K. Data Access Roles and Permissions

*See Document D. Data Classification Levels

Electronic Mass Data Transfers. Downloading, uploading or transferring data between systems shall be strictly controlled via the use of secure APIs. Requests for mass download of, or individual requests for, information for research or any other purposes that include PII, confidential, and/or sensitive data shall be in accordance with this policy and be approved by the Data Governance Committee. All other mass downloads or uploads of information shall be approved by the committee and/or Systems Administrators and include only the minimum amount of information necessary to fulfill the request. A Memorandum of Understanding (MOU) or National Data Privacy Agreement (NDPA) shall be in place when transferring data to external entities such as software or application vendors, textbook companies, testing companies, or any other web-based application, unless the Data Governance Committee approves the exception. 

 

Other Electronic Data Transfers, Sharing, and Printing. PII, confidential, sensitive, and other internal information shall be stored and or printed in a manner inaccessible to unauthorized individuals. PII and Confidential Information shall not be accessed in an unauthorized manner through the use of malicious code execution, unauthorized use of login credentials, or left unattended and open to compromise. Where possible, PII, confidential, and/or sensitive data that is downloaded for educational purposes shall be de-identified before use. 

Subpoenas for Electronic Data. 

Subpoenas issued by courts of competent jurisdiction will be responded to by the Board in compliance with federal and state law pursuant to the advice and direction of the Board Attorney.

Using Only VHCS Approved Electronic Communication Services. Only VHCS district-supported email accounts and ParentSquare shall be used for communications to and from school employees, to and from parents or other community members, to and from other educational agencies, to and from vendors or other associations, and to and from students for school business. 

* See Document I. Password and Authentication Control Standards

 

Remote Access.  This policy establishes standards for connecting to the VHCS network or customer networks where VHCS provides managed services. Its purpose is to reduce the risk of data breaches, cyber incidents, or unauthorized access that could lead to loss of sensitive data, damage to VHCS systems, or harm to the district’s reputation.

This policy applies to all VHCS staff, contractors, vendors, and agents using VHCS-owned or personal devices to perform work remotely, including accessing email and internal web resources.

Remote access is only permitted through VHCS-approved VPN solutions and at the approval of the superintendent or designee.  All other methods require explicit approval from the Director of Technology or the Data Governance Committee.

Personally Identifiable Information (PII), confidential, or internal data accessed remotely must be protected to the same standards as on-network data. This data may only be stored in cloud services approved by the Data Governance Committee or its designee.

 

Physical Security: Access to areas in which information processing is carried out shall be restricted only to appropriately authorized individuals. Technology closets, network racks, and/or any infrastructure equipment is housed in locked areas via keyed access or card access.

It is the user's responsibility to ensure that systems above are not left logged in, unattended, and open to unauthorized use. 

No technological systems that may contain information as defined above shall be disposed of or moved without adhering to the appropriate Purchasing and Disposal of Electronic Equipment procedures.
*See Document H. Physical and Security Controls

*See Document J. Purchasing and Disposal Procedures

IT Disaster Recovery: VHCS must be able to recover critical systems and data within a reasonable timeframe following an emergency. All incidents (e.g., fire, vandalism, system failure, natural disaster, or cyber incident) must be reported immediately to the Superintendent or designee.

The Disaster Recovery Plan includes:

• A prioritized list of critical services, data, and contacts
• Processes for restoring lost data and maintaining operations during disruptions
• Procedures for regularly testing and updating the recovery plan

Plan objectives:

• Enable operation from a standby facility
• Restore VHCS systems at primary sites
• Minimize disruption to VHCS operations

*See Document N. IT Disaster Recovery

Compliance

The Data Governance Policy applies to all users of VHCS’ information, including employees, staff, volunteers, and outside affiliates. Failure to comply with this policy by employees, staff volunteers, and outside affiliates may result in disciplinary action up to and including dismissal in accordance with applicable VHCS procedures, or, in the case of outside affiliates, termination of the affiliation. 

 In the event VHCS students attempt actions that violate designated access in accordance with VHCS’ policies, possible disciplinary/corrective action will be instituted per the Student Code of Conduct.  A more comprehensive outline of acceptable student behavior in regard to VHCS technologies and their use is included in the VHCS Acceptable Use Policy. 

Depending on the nature and severity of the incident, violations may be escalated for legal action or law enforcement involvement in accordance with applicable laws.

Disciplinary actions may be taken for violations, including but not limited to the following:

• Unauthorized disclosure of PII or Confidential Information.
• Unauthorized disclosure of a log-in code (User ID and password).
• Attempting to obtain a log-in code or password that belongs to another person.
• Using or attempting to use another person’s log-in code or password.
• Unauthorized use of an authorized password to invade student or employee privacy by examining records or information for which there has been no request for review.
• Installing or using unlicensed software on VHCS’ technological systems.
• The intentional unauthorized altering, destruction, or disposal of VHCS’ information data and/or systems. This includes the unauthorized removal from VHCS of technological systems, such as but not limited to laptops, internal or external storage, computers, servers, backups, or other media, copiers, etc. that contain PII or confidential information.
• Attempting to gain access to log-in codes for purposes other than for support by authorized technology staff, including the completion of fraudulent documentation to gain access.

Audit Controls: Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use PII, sensitive, or confidential data are in use.  Further, procedures are in place to regularly review records of information system activity, such as audit logs, access reports, and regular cybersecurity audits. 

 

Evaluation: VHCS requires that periodic technical and nontechnical evaluations of access controls, storage, and other systems be performed in response to environmental or operations changes affecting the security of electronic PII to ensure its continued protection. 

*See Document H. Physical and Security Controls

Documents Referenced for Clarification and Training

1. Laws, Statutory, Regulatory, and Contractual Security
2. Requirements Information Risk Management Practices
3. Definitions and Responsibilities
4. Data Classification Levels
5. Acquisition of Hardware
6. Acquisition of Software Procedures
7. Virus, Malware, Spyware, Phishing and SPAM Protection
8. Physical and Security Controls
9. Password and Authentication Control Standards
10. Purchasing and Disposal Procedures
11. Data Access Roles and Permissions
12. National Data Privacy Agreement (NDPA)
13. Artificial Intelligence (AI) Use Guidelines Regarding Data Privacy
14. IT Disaster Recovery

*All forms that require signature and acknowledgement are found on our VHCS website, online registration portal, and online staff compliance training portal.

Document A. Laws and Regulations

The district will abide by any law, statutory, regulatory, or contractual obligations affecting its informational systems. The following laws, rules, and standards, among others, inform the district’s data governance policy and procedures:

CIPA: Congress enacted the Children’s Internet Protection Act in 2000 to address concerns about children’s access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program.  Schools subject to CIPA have two additional certification requirements: 1) their Internet safety policies shall include monitoring the online activities of minors; and 2) as required by the Protecting Children in the 21st Century Act, they shall provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, and cyber bullying awareness and response. For more information, see:

COPPA: The Children’s Online Privacy Protection Act regulates operators of commercial websites or online services directed to children under 13 that collect or store information about children.  Parental permission is required to gather certain information before student use.

FERPA: The Family Educational Rights and Privacy Act applies to all institutions that are recipients of federal aid administered by the Secretary of Education.  This regulation protects student information and accords students’ specific rights concerning their data.       

HIPAA: The Health Insurance Portability and Accountability Act applies to organizations that transmit or store Protected Health Information (PII).  It is a broad standard that was initially intended to combat waste, fraud, and abuse in health care delivery and health insurance, but is now used to measure and improve the security of health information as well. In general, schools are not bound by HIPAA guidelines.

PCI DSS: A consortium of payment brands, including American Express, Discover, MasterCard, and Visa, created the Payment Card Industry Data Security Standard.  It covers the management of payment card data and is relevant for any organization that accepts credit card payments.   For more information, see:

PPRA:   The Protection of Pupil Rights Amendment affords parents and minor students’ rights regarding the conduct of surveys, collection, and use of information for marketing purposes, and specific physical exams. It governs the administration of a survey, analysis, or evaluation of students that concerns one or more of the following eight protected areas:

• political affiliations or beliefs of the student or the student’s parent;
• mental or psychological problems of the student or the student’s family;
• sex behavior or attitudes;
• illegal, anti-social, self-incriminating, or demeaning behavior;
• critical appraisals of other individuals with whom respondents have close family relationships;
• legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
• religious practices, affiliations, or beliefs of the student or student’s parent; or,
• income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).

The rights under PPRA transfer from the parents to a student who is 18 years old or an emancipated minor under State law. 

AL House Bill 166 - FOCUS Act:

 

Relating to public K-12 education; to establish the Freeing our Classrooms of Unnecessary Screens for Safety (FOCUS) Act; to prohibit the use, operation, and possession of wireless communication devices on certain public school properties; to require local boards of education to adopt an Internet safety policy; to add Section 16-40-13 to the Code of Alabama 1975, to require students to complete a social media safety course prior to entering the eighth grade; and to repeal Section 16-1-27, Code of Alabama 1975, providing for the use of electronic communication devices on school property.

 

Alabama Data Breach Notification Act of 2018 (Acts 2018-396):

 

The Alabama Data Breach Notification Act of 2018 (Acts 2018-396) requires certain entities that have experienced a data breach to notify the Attorney General when the breach results in the unauthorized acquisition of sensitive personally identifying information and is reasonably likely to cause substantial harm to the individuals to whom the information relates.

 

Document B. Risk Management Practices

The analysis involved in VHCS Risk Management Practices examines the types of threats – internal or external, natural or manmade, electronic and non-electronic – that affect the ability to manage and protect the information resource.  The analysis also documents any existing vulnerabilities found within each entity, which potentially expose the information resource to threats.  Finally, the analysis includes an evaluation of the information assets and the technology associated with their collection, storage, dissemination, and protection.

From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information is determined and addressed based on recommendations by the Data Governance Committee.  The frequency of the risk analysis is determined at the district level.  It is the option of the superintendent or designee to conduct the analysis internally or externally.

Risk Management Practices include but are not limited to:

• Implementation of Multi-Factor Authentication
• Routine District Cybersecurity Audits 
• Annual access control audits for information systems
• Zero-Trust Security Practices
• Annual review of cybersecurity best practices
• Continual evaluation of district policies and procedures
• Consistent asset tracking and inventory

 

Document C. Definitions and Responsibilities

Availability: Data or information is accessible and usable upon demand by an authorized person.

Confidentiality: Data or information is not made available or disclosed to unauthorized people or processes.

Data: Facts or information

Entity: Organization such as a school system, a school, a department, or in some cases, a business

Information: Knowledge that you get about something or someone; facts or details.

Data Integrity: Data or information has not been altered or destroyed in an unauthorized manner.

Involved Persons: Every user of Involved Systems (see below) at VHCS, regardless of their status. This includes nurses, residents, students, employees, contractors, consultants, temporary workers, volunteers, substitutes, student teachers, interns, etc.

Systems: All data-involved computer equipment/devices and network systems that are operated within or by the VHCS physically or virtually. This includes all platforms (operating systems), all computer/device sizes (personal digital assistants, desktops, mainframes, telephones, laptops, tablets, game consoles, etc.), and all applications and data (whether developed in-house or licensed from third parties) contained on those systems.

Personally Identifiable Information (PII): PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Risk: The probability of a loss of confidentiality, integrity, or availability of information resources.

Responsibilities of the Data Governance Committee: The Data Governance Committee for VHCS is responsible for ensuring that security policies, procedures, and standards are in place and adhered to by the entity.

Other responsibilities include:

Reviewing the Data Governance Policy annually and communicating changes in policy to all parties involved.

Educating data custodians and managing owners and users with comprehensive information about security controls affecting system users and application systems.

User Management: VHCS’ administrators (Principals, Assistant Principals, Directors) are responsible for overseeing their staff's use of information and systems, including:

• Reviewing and approving all requests for their employees’ access authorizations.
• Initiating security change requests to keep employees' secure access current with their positions and job functions.
• Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures.
• Revoking physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc.
• Providing employees with the opportunity for training needed to properly use the computer systems.
• Reporting promptly to the Technology Department and the Data Governance Committee the loss or misuse of VHCS’ information.
• Initiating corrective actions when problems are identified.
• Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any technology or data system/software to manage information.
• Following all privacy and security policies and procedures.

Information Owner: The owner of a collection of information is usually the administrator or supervisor responsible for the creation of that information.  In some cases, the owner may be the primary user of that information. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another individual by completing the VHCS Information Owner Delegation/Transfer Request Form and submitting the form to the Data Governance Committee for approval. The owner of information has the responsibility for:

• Knowing the information for which she/he is responsible.
• Determining a data retention period for the information, relying on ALSDE guidelines, industry standards, Data Governance Committee guidelines, or advice from the school system attorney.
• Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created.
• Authorizing access and assigning data custodianship if applicable.
• Specifying controls and communicating the control requirements to the data custodian and users of the information.
• Reporting promptly to the Technology Department the loss or misuse of VHCS’ data.
• Initiating corrective actions when problems are identified.
• Promoting employee education and awareness by utilizing programs approved by the Technology Department, where appropriate.
• Following existing approval processes within the respective organizational unit and district for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.

Data Custodian: An administrator or the Technology Department assigns Data Custodian based on his/her role and is generally responsible for the processing and storage of information. The data custodian is responsible for the administration of controls as specified by the owner.  Responsibilities may include:

• Providing and/or recommending physical safeguards.
• Providing and/or recommending procedural safeguards.
• Administering access to information.
• Releasing information as authorized by the Data Governance Committee for use and disclosure using procedures that protect the privacy of the information.
• Maintaining information security policies, procedures and standards as appropriate and in consultation with the Data Governance Committee.
• Promoting employee education and awareness by utilizing programs approved by the Technology Department, where appropriate.
• Reporting promptly to the Data Governance Committee the loss or misuse of VHCS’ data.
• Identifying and responding to security incidents and initiating appropriate actions when problems are identified.

User: The user is any person who has been authorized to read, enter, print or update information. A user of information is expected to:

• Access information only in support of their authorized job responsibilities.
• Comply with all data security procedures and guidelines in the VHCS Data Governance Policy and all controls established by the data owner and/or data custodian.
• Keep personal authentication devices (e.g. passwords, secure cards, PINs, access codes, etc.) confidential.
• Report promptly to the Data Governance Committee the loss or misuse of VHCS’ information.
• Follow corrective actions when problems are identified.

Document D. Data Classification Levels

Personally Identifiable Information (PII) is information about an individual maintained by an agency, including:

• Any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records.
• Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
• Unauthorized or improper disclosure, modification, or destruction of this information could violate state and federal laws, result in civil and criminal penalties, and cause serious legal implications for VHCS.

Confidential Information is very important and highly sensitive material that is not classified as PII. This information is private or otherwise sensitive in nature and shall be restricted to those with a legitimate business need for access. Examples of Confidential Information may include personnel information, key financial information, and proprietary information of commercial research sponsors, system access passwords, and information file encryption keys.

Unauthorized disclosure of this information to people without a business need for access may violate laws and regulations, or may cause significant problems for VHCS, its staff, parents, students, including contract employees, or its business partners. Decisions about the provision of access to this information shall always be cleared through the information owner and/or Data Governance Committee.

Internal Information is intended for unrestricted use within VHCS, and in some cases, within affiliated organizations such as VHCS’s business or community partners. This type of information is already widely distributed within VHCS, or it could be distributed within the organization without advance permission from the information owner. Examples of Internal Information may include personnel directories, internal policies and procedures, and most internal electronic mail messages.

Any information not explicitly classified as PII, Confidential or Public will, by default, be classified as Internal Information.

Unauthorized disclosure of this information to outsiders may not be appropriate due to legal or contractual provisions.

Public Information has been specifically approved for public release by a designated authority within each entity of VHCS. Examples of Public Information may include marketing brochures and material posted to VHCS’ web pages. This information may be disclosed outside of VHCS. 

Directory Information as defined by VHCS and in compliance with FERPA is as follows:

• Student first and last name
• Student gender
• Student home address
• Student home telephone number
• Student school-assigned monitored and filtered email address
• Student photograph
• Student place and date of birth
• Student dates of attendance (years)
• Student grade level
• Student diplomas, honors, awards received
• Student participation in school activities or school sports
• Student weight and height for members of school athletic teams
• Student most recent institution/school attended
• Student ID number

 

Document E. Hardware Acquisition

It is the position of VHCS’ Technology Department to ensure that technology equipment being purchased is compatible with existing district equipment and is purchased/deployed in an acceptable time frame. The equipment must be purchased from a reputable manufacturer, have a warranty, and fit within the VHCS Technology Department's purchasing framework.

All purchases of computer hardware or software will be coordinated with the Technology Department. VHCS guidelines include:

• The Technology Department will assist in connecting the device to wireless networks upon receiving an FMX helpdesk technology request
• Laptop/Desktops purchased using personal funds will not be supported or part of the Technology Department replacement cycle
• Technology Department will not load software that is not licensed by the district
• Technology Department will not provide virus/spyware removal assistance on personal devices
• Technology Department will not support hardware or software that is not purchased within these guidelines
• Technology Department will not support network printers purchased that are not on VHCS Specification list

 

Document F. Software Acquisition Procedures

 

The purpose of the Acquisition of Software Procedures is to:

• Ensure proper management of the legality of information systems,
• Allow all academic disciplines, administrative functions, and athletic activities the ability to utilize proper software tools,
• Minimize licensing costs,
• Increase data integration capability and efficiency of VHCS (VHCS) as a whole, and
• Minimize the malicious code that can be inadvertently downloaded.

Software Licensing:

All district software licenses owned by VHCS will be:

• Kept on file at the data center or on a secure cloud instance, accurate, up to date, and adequate, and in compliance with all copyright laws and regulations

All other software licenses owned by departments or local schools will be:

• Kept on file with the department or local school technology office, accurate, up to date, and adequate, and in compliance with all copyright laws and regulations

Software installed on VHCS technological systems and other electronic devices:

• Will have proper licensing on record,
• Will be properly licensed or removed from the system or device, and
• Will be the responsibility of the VHCS technology department to maintain proper access levels and installation strategies

Purchased software accessed from and storing data in a cloud environment will have a Memorandum of Understanding (MOU) or National Data Privacy Agreement (NDPA) on file that states or confirms at a minimum that:

• VHCS student and/or staff data will not be shared, sold, or mined with or by a third party,
• VHCS student and/or staff data will not be stored on servers outside the US unless otherwise approved by VHCS’ Data Governance Committee,
• The company will comply with VHCS guidelines for data transfer or destruction when contractual agreement is terminated, and
• No API will be implemented without full consent of VHCS and the ALSDE
• Software with or without physical media (e.g. downloaded from the Internet, apps, or online) shall still be properly evaluated and licensed if necessary and is applicable to this procedure.  It is the responsibility of staff to ensure that all electronic resources are age appropriate, FERPA compliant, and are in compliance with software agreements before requesting use.  Staff members are responsible for ensuring that parents have given permission for staff to act as their agent when creating student accounts for online resources.

Supported Software:

To prevent software containing malware, viruses, or other security risks, it is categorized as either Supported or Not Supported Software.  For software to be classified as Supported Software, downloads and/or the district technology department or designee, such as a member of the technical staff, shall approve purchases.

Unsupported software is considered New Software and shall be subject to approval, or it will not be allowed on VHCS owned devices.

When staff recommend apps or software for installation, it is assumed that the staff has properly followed all steps to notify school administration, district technology staff, and the Director of Curriculum and Instruction for approval.

Software that accompanies adopted instructional materials will be vetted by Curriculum and Instruction staff and the Technology Department and is therefore supported.

New Software:

In the Evaluate and Test Software Packages phase, the software will be evaluated against current standards and the viability of implementation into the VHCS technology environment, and the functionality of the software for the specific discipline or service it will perform.

Evaluation may include but is not limited to, the following:

• Conducting beta testing or sufficient piloting within the district.
• Determining how the software will impact the VHCS technology environment, such as student rostering requirements through ClassLink, data security, and/or other affected systems.
• Determining hardware requirements.
• Determining what additional hardware is required to support a particular software package.
• Outlining the license requirements/structure, number of licenses needed, and renewals.
• Determining any Maintenance Agreements, including cost.
• Determining how the software is updated and maintained by the vendor.
• Determining funding for the initial purchase and continued licenses and maintenance.

When staff recommend apps or software for purchase and/or testing, it is the responsibility of the appropriate staff to properly vet the app or software to ensure that it is instructionally sound, is in line with curriculum or behavioral standards, and is age-appropriate. All software must utilize the VHCS App Approval process that is found through our FMX ticketing system.

FMX Approval Procedure:

 

1. Any staff member wishing to purchase an app or software must use the FMX Ticketing system to request a “New Software/Application”
   1. This form includes key details for the vetting process, such as: Student Data Requirements, ClassLink Rostering, Signed Memorandum of Understanding, Total Cost, and App description.
2. The application request will go through three levels of approval:
   1. Building Administrator Approval
   2. Director of Curriculum and Instruction Approval
   3. Director of Technology Approval
3. Once the application has received final approval, the VHCS technology department will deploy the app to the platforms requested and will finalize the helpdesk request once the app has been deployed.

Document G. Virus, Spyware, and Malware Protection

VHCS is entrusted with the responsibility to provide appropriate protection against malware threats, such as viruses and spyware applications. Effective implementation of this policy will limit the exposure and effect of common malware threats to the systems they cover. This policy applies to all computers that VHCS is responsible for managing. This explicitly includes any system for which VHCS has a contractual obligation to administer. This also includes all computer systems set up for internal use by VHCS, regardless of whether VHCS retains administrative responsibility or not.

Anti-Virus

All computers MUST have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system. VHCS utilizes Palo-Alto’s endpoint detection and response platform for Anti-Virus.

Zero-Trust

VHCS implements a zero-trust network security model. Zero-Trust is a network security strategy based on the fact that no person or device inside or outside of the VHCS network should be granted access to IT systems or workloads unless it is explicitly deemed necessary. This security model requires that any person needing access to administrative privileges within our system must obtain prior approval and authorization from an authorized VHCS technology staff member.

Mail Server Anti-Virus

If the target system is a mail server it MUST have either an external or internal anti-virus scanning application that scans all mail destined to and from the mail server. Local antivirus scanning applications MAY be disabled during backups if an external anti-virus application still scans inbound emails while the backup is being performed.

Anti-Spyware

All computers MAY have an anti-spyware application installed that offers real-time protection to the target system

Internet Filtering

Student learning using online content and social collaboration continues to increase. VHCS views Internet filtering as a way to balance safety with learning—letting good content, resources, and connections in while blocking the bad. To balance educational Internet resources and app use with student safety and network security, the Internet traffic from all devices that authenticate to the network is routed through the filter using the user’s network credentials.  For guest devices, users see a “pop-up screen” that requires them to login to the Internet filter with his/her network credentials or a guest login and password to gain access to the Internet.  This process sets the filtering level appropriately based on the role of the user, such as, student, staff or guest, and more specifically for students, the grade level of the child.  All sites that are known for malicious software, phishing, spyware, etc. are blocked.

Phishing and Spam Protection

Virus checking systems approved by the VHCS Technology Department are deployed using a multi-layered approach (computers, servers, gateways, firewalls, filters, etc.) that ensures all electronic files are appropriately scanned. Users shall neither turn off nor disable VHCS’ protection systems or install other systems. Google Workspace for Education utilizes spam filtering and monitors phishing attempts to alert technical staff of possible compromised accounts or malicious emails. VHCS employees are trained annually through KnowBe4 on recognizing phishing attempts. Phishing tests are conducted quarterly through the KnowBe4 platform to record employee proficiency in identifying potential phishing attempts. 

Security Patches

To provide a stable and secure network environment for VHCS’ network applications, staff, business partners, and contractors. As part of this goal, it is VHCS network policy to ensure all computer devices connected to VHCS’ network have proper virus protection software, current virus definition libraries, and the most recent operating system and security patches installed.

 

Document H. Physical and Security Controls

The following physical and security controls shall be adhered to:

1. Network systems shall be installed in an access-controlled area. The area in and around the computer facility shall afford protection against fire, water damage, and other environmental hazards such as power outages and extreme temperature situations.
2. Monitor and maintain data centers’ temperature and humidity levels. The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) recommends an inlet temperature range of 68 to 77 degrees and a relative humidity of 40% to 55%.
3. File servers and/or storage containing PII, Confidential and/or Internal Information shall be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.
4. Computers and other systems shall be secured against use by unauthorized individuals. It is the user's responsibility to ensure these devices are not left logged in, unattended, and open to unauthorized use.
5. Ensure network systems and network equipment are properly secured to prevent unauthorized physical access, and data is properly safeguarded to protect from loss. A record shall be maintained of all personnel who have authorized access.
6. Maintain a log of all visitors granted entry into secured areas or areas containing sensitive or confidential data (e.g., data storage facilities). Access control software will record the visitor’s name, organization, and the name of the person granting access, where access control systems are available. Retain visitor logs for no less than 6 months.  Ensure visitors are escorted by a person with authorized access to the secure area.
7. Monitor and control the delivery and removal of all asset-tagged and/or data-storing technological equipment or systems. Maintain a record of all such items entering or exiting their assigned location using the district approved technology inventory program.  No technology equipment, regardless of how purchased or funded, shall be moved without the explicit approval of the technology department.
8. Ensure that technological equipment or systems being removed for transfer to another organization or being designated as surplus property is appropriately sanitized in accordance with applicable policies and procedures.

 

Document I. Password and Authentication Control Standards

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. VHCS’ purpose is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. All personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any VHCS facility, has access to the VHCS’ network, or stores any non-public VHCS’ information. A poorly chosen password may result in the compromise of VHCS' entire school system network. As such, all VHCS staff (including contractors and vendors with access to VHCS’ systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Password Standards:

• Users are responsible for complying with the following password standards for network access or access to secure information:
• All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a quarterly basis.
• All production system-level passwords must be part of the VHCS Technology Department administered global password management database.
• All user-level passwords (e.g., email, web, desktop computer, etc.) will be changed if technology administration has been alerted of suspicious login attempts.
• All administrative accounts with access to sensitive information (e.g., District Leadership, School administration, Technology administration, etc.) will utilize multi-factor authentication (MFA) to access and authenticate to platforms containing sensitive information.
• User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user and multi-factor authentication must be enforced.
• Student passwords will be generated through ClassLink Onesync.

Passwords must not be inserted into email messages or other forms of electronic communication.

Multi-factor authentication (MFA) is enforced for: 

• All administrative accounts with access to sensitive data.
• All staff accounts by December 2025

All user accounts are automated through a unified identity management system, ClassLink Onesync.

Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).

All user-level and system-level passwords must conform to the guidelines described below:

• Passwords shall never be shared with another person, unless the person is a designated security manager.
• Strong passwords have the following characteristics:
• Contain both upper and lower case characters (e.g., a-z, A-Z)
• Have digits and punctuation characters as well as letters e.g., 0-9,
• !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
• Are at least fifteen alphanumeric characters long and is a passphrase (Ohmy1stubbedmyt0e).
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.

Passwords should never be written down or stored online. Try to create passwords that are easy to remember. One way to do this is to create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.

Do not use the same password for VHCS accounts as for other non-VHCS access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, avoid using the same password for multiple VHCS access needs. For example, select one password for the Engineering systems and a separate password for IT systems. 

Do not share VHCS passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential VHCS information.

 

Document J. Purchasing and Disposal Procedures

This procedure is intended to provide for the proper purchasing and disposal of technological devices only. Any computer, laptop, mobile device, printing and/or scanning device, network appliance/equipment, AV equipment, server, internal or external storage, communication device or any other current or future electronic or technological device may be referred to as systems in this document. For further clarification of the term technological systems contact the Vestavia Hills City Schools (VHCS) district Technology Department.

All involved systems and information are assets of VHCS and expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.

Purchasing Guidelines

All systems that will be used in conjunction with VHCS’ technology resources or purchased, regardless of funding, shall be purchased from an approved list or be approved by a local school Instructional Technology Specialist and/or the district Technology Department.  Failure to have the purchase approved may result in a lack of technical support, a request for removal from premises, or denied access to other technology resources.

Alabama Competitive Bid Laws

All electronic equipment is subject to Alabama competitive bid laws.  Several purchasing co-ops have been approved for use by the Alabama State Examiners' office. All technological systems, services, etc., over $40,000 purchased with public funds are subject to Alabama’s competitive bid laws.

Inventory

The Technology Department and/or Instructional Technology Specialist at each school inventory all technological devices or systems. It is the responsibility of the local Instructional Technology Specialist to conduct this inventory.  The district technology staff is responsible for ensuring that any network equipment, fileservers, or district systems, etc. are inventoried.

Disposal Guidelines

Equipment shall be considered for disposal for the following reasons:

• End of useful life,
• Lack of continued need,
• Obsolescence,
• Wear, damage, or deterioration,
• Excessive cost of maintenance or repair.

The local school principal, the Technology Department, and the BOE shall approve school disposals by discarding or recycling. Written documentation in the form of a spreadsheet, including but not limited to the following, shall be provided to the BOE two weeks before the next Board of Education meeting:

• Fixed asset tag (FAT) number,
• Location,
• Description,
• Serial number, and
• Original cost and account code if available.

Methods of Disposal

Once equipment has been designated and approved for disposal, it shall be handled according to one of the following methods.  It is the responsibility of the local school ITS and Technology Department to modify the inventory entry to reflect any in-school transfers, in-district transfers, recycles, or discards for technological systems.  The district Technology Department is responsible for modifying the inventory records to reflect any transfers of electronic equipment to local schools, or central office discards.

Transfer/Redistribution

If the equipment has not reached the end of its estimated life, an effort shall be made to redistribute the equipment to locations where it can be of use, first within an individual school or office, and then within the district.  Service requests may be entered to have the equipment moved, reinstalled and, in the case of computers, laptops, or companion devices, have it wiped and reimaged or configured.

Discard

All electronic equipment in the VHCS district shall be discarded in a manner consistent with applicable environmental regulations.  Electronic equipment may contain hazardous materials such as mercury, lead, and hexavalent chromium. In addition, systems may contain Personally Identifiable Information (PII), Confidential, or Internal Information.  Systems shall be wiped clean of this information prior to leaving the school district.

A district-approved vendor shall be contracted for the disposal of all technological systems/equipment.  The vendor shall provide written documentation verifying the method used for disposal and a certificate stating that no data of any kind can be retrieved from the hard drive or any other component capable of storing data.

Under no circumstances should any technological systems/equipment be placed in the trash.  Doing so may make VHCS and/or the employee who disposed of the equipment liable for violating environmental regulations or laws.

Required Documentation and Procedures

For purchases, transfers, and redistributions, recycling, and disposal of technology-related equipment, it is the responsibility of the appropriate technology team member to create/update the inventory to include previous location, new school, and/or room location, and to note the transfer or disposal information.  When discarding equipment, the fixed asset tag is removed from the equipment and turned in with other documentation.

Any equipment recycled shall be completely wiped of all data.  This step will not only ensure that no confidential information is released but also prevent any inadvertent software licensing violations.  For non-sensitive machines, all hard drives shall be fully wiped using a wiping program approved by the district technology office, followed by a manual scan of the drive to verify that zeros were written.

Any re-usable hardware that is not essential to the function of the equipment that can be used as spare parts shall be removed: special adapter cards, memory, hard drives, zip drives, CD drives, etc. A district-approved vendor SHALL handle all disposals that are not redistributions, transfers, or donations.  Equipment shall be stored in a central location prior to pick-up.  Summary forms shall be turned into district technology office and approved by the Chief School Finance Officer prior to the scheduled “pick up” day. Mice, keyboards, and other small peripherals may be boxed together and shall not be listed on summary forms.

 

Document K. Data Access Roles and Permissions

Student Information Applications

Any software system owned and/or managed by the District, which is used to store, process, or analyze student educational records defined by FERPA shall be subject to strict security measures.

Only Supervisory District Administrators will have responsibilities over the District Student Information Systems, which will determine appropriate roles and access to the data and will enforce compliance with these roles and permissions.

PowerSchool Access

Only authorized users of PowerSchool will be allowed access. No one is allowed to give out username/password or allow someone to utilize the program while logged in.  All personnel will log out of PowerSchool when not in use or when leaving the room.  No one will misuse any information or share any personal student information.  Violation of our policy, misuse of data, or FERPA violation can have serious consequences, including loss of Federal funding, internal discipline, and other legal liabilities.

VHCS maintain the following permission groups in PowerSchool:

• Administrators
• Alternative School
• Attendance Clerk
• Bookkeepers
• Case Manager (Exceptional Education)
• Census Clerk
• CNP Central Office
• CNP Manager
• College Counselor
• Counselor
• Data Entry Clerk
• Discipline Clerk
• District Level Access
• District Reporting Access
• District Personnel Administrators
• Elementary Teacher
• Enrollment Clerk
• Grad Exam Guidance Clerk
• Guidance Clerk
• Head Nurse
• Instructional Partners
• Nurse
• PE Teacher
• PST Recorder
• Registrar
• Scheduling Clerk
• School Administrator
• Secondary Teacher
• Special Programs Staff
• Transcripts

*A complete list of Permissions is available upon requests VHCS

 

Document M.  Artificial Intelligence (AI) Use Guidelines Regarding Data Privacy

These Guidelines establish the responsible use, management, and oversight of Artificial Intelligence (AI) within VHCS to ensure data privacy, security, ethical use, and compliance with applicable regulations.

These guidelines apply to all AI systems, applications, and tools used within VHCS, including but not limited to AI-driven analytics, automated decision-making tools, and AI-enhanced educational technologies.

Guiding Principles

Ethical Use: AI must align with VHCS's mission and values, promoting fairness, transparency, and accountability.

Data Privacy & Security: AI implementations must comply with FERPA, COPPA, and other relevant laws to safeguard student and staff data.

Human Oversight: AI must support, not replace, human decision-making, particularly in areas impacting student learning, discipline, and employment decisions.

Transparency: AI-driven processes must be documented and communicated to stakeholders when they significantly impact operations.

Bias Mitigation: AI models should be reviewed and challenged periodically to prevent and address bias in decision-making.

AI System Approval & Review

All AI tools must be vetted and approved by the VHCS Technology Department before implementation.

The VHCS Technology Department will evaluate such applications based on the following criteria:

• Vendor Data Usage Agreements
• Instructional Alignment with VHCS curriculum
• Age Appropriateness
• FERPA, COPPA, and CIPA compliance
• Software Bias

AI systems must undergo periodic reviews to ensure compliance with security, ethical, and legal standards.

AI vendors must provide transparency regarding data usage, storage, and decision-making processes in compliance with the VHCS Data Governance Policy.

Data Governance & Security Measures

AI systems must only process data necessary for their intended educational or administrative purpose.

Student and staff data processed by AI must be encrypted and access-controlled.

AI tools must not be used for profiling or automated decision-making that could negatively impact students or staff without human oversight.

Training & Awareness

VHCS staff will receive training on the appropriate and ethical use of AI via Common Sense Media

Teachers and administrators will understand AI-driven insights and how they affect instruction and decision-making.

Students will be educated on AI literacy, including responsible use and understanding of AI-generated content.

Compliance & Monitoring

The VHCS Technology Department will oversee AI compliance and report concerns to district leadership.

Any AI-related incidents, breaches, or ethical concerns must be reported and addressed promptly.

This policy will be reviewed annually and updated as AI technologies evolve.

VHCS will maintain compliance with any AI policies developed by the Alabama State Department of Education (ALSDE).

Exceptions & Amendments

Exceptions to this policy require written approval from the Director of Technology.

Amendments to this policy will be made as necessary to align with legal, technological, or educational advancements.

Document N. IT Disaster Recovery

IT DR Goal and Objectives

The DR (Disaster Recovery) plan provided by VHCS establishes defined responsibilities, activities, and procedures to recover business critical and IT services as a result of unexpected disruption. This plan is designed to mitigate the risk of system and service unavailability by documenting effective contingency actions for continuation or resumption of mission-critical services in the event of a disaster.

Disaster recovery objectives are as listed below:

• Protecting human life and ensuring the safety of all personnel and students
• Preventing further damage to assets and information resources
• Recovering services within the established recovery time objective (RTO) and recovery point objectives (RPO)
  • Recovery time objective: maximum acceptable time it takes to restore a business process or system after an incident or disruption.
  • Recovery point objective: the maximum acceptable amount of data loss, measured in time, that an organization can endure during a disaster or outage
• Minimizing and mitigating business impact, evaluating direct costs and indirect costs resulting from a system or service disruption
• Ensure that security controls and policies for the failover systems are at or above par with primary production infrastructure.
• Ensure that service application performance is not degraded for recovered services

IT DR Scope

The following table of services have been defined as critical and require recovery at the designated DR location following a disaster declaration in order to support business functions. These services and the supporting systems will be recovered based on the following criticality tiers. These tiers and the required recovery times have been developed in partnership with the district superintendent, assistant superintendents, chief financial officer, and director of technology based on criticality. 

 

Plan Assumptions and Limitations

The following assumptions have been made with the VHCS IT Disaster Recovery Plan:

• Technology Administrators and Operations Administrators will be available for key decisions and support that is required to execute this disaster recovery plan.
• Specific IT and Business resources such as: ALSDE, White Rhino Security, CDW-G and CISA will be available to assist in executing the disaster recovery plan.
• There will be some degradation in IT support services because staff will be focused on prioritized recovery procedures.

Declaration and Plan Activation

Participants: Superintendent, Assistant Superintendent, Board Members, Key Stakeholders, IT Leadership, Recovery contractors.

Key activities: Review assessments and other inputs

Key decisions/outcomes: Invoke Business continuity plans and DR plans or not

 

Based on the above assessments and other pertinent internal or external information, a decision to invoke the DR Plan will be made. The criteria for invocation are:

• Loss of service: More than 5 critical systems or services are nonfunctional
• Loss of access on premises: The data center at the Board of Education location is not available for an extended period (More than 8 hours)
• Loss of access to systems or data: Network access to critical applications or business function is interrupted (due to external telecommunication failure or internet performance degradation) 

The following information will be communicated to stakeholders and employees:

• That a disaster has occurred
• The nature of the disaster (if known)
• The initial estimation of the magnitude of the disaster (if known)
• The initial estimation of the impact of the disaster (if known)
• The initial estimation of the expected duration of the disaster (if known)
• Actions that have been taken to this point
• Actions that are planned
• Any planned meeting place/time for the DR team
• Any other pertinent information