Edward Gardner, the school district's director of technology infrastructure, outlined security tests a contractor could perform on behalf of the school system. The request for proposals would require the contractor to perform quarterly tests of what access the public has to data and to mobile and web-based applications. The contractor would then report methods, results and recommendations to the school system's Department of Technology Infrastructure.
At Wednesday's meeting, the school board also heard for the first time a proposed policy on data breach notification. Superintendent Terry Alban said the district already had procedures within the IT department on how to respond and state law also dictates how to respond.
"This formalizes it so that we have our own board policy," Alban said.
Board members wanted to have more information attached to the policy, such as the state law and the procedures that are currently in place, to analyze the next time the draft is brought before the board.
The board's discussion comes about a month after a former student alerted the district of a data breach that resulted in the names, addresses and Social Security numbers of about 1,000 students being posted on a website. The person who posted the list offered to sell the same information for a total of 20,000 people.
During the discussion on hiring a contractor to perform security tests, board members wanted to make sure there would be an option to perform the security tests unannounced.
The contractor would at first test for vulnerability of the system without knowing any of the internal workings. Gradually, the school system would provide more information to the contractor as it tests security.
Under the contract, the company would report security incidents, potential threats and vulnerabilities. It would also protect the system from unauthorized user access, ensure information that's sent from the system is controlled and stored securely, and make sure all handling of personally identifiable information and sensitive but unclassified information conforms to FCPS policy.
The request for proposals also provides information on what skills the district wants the contractor to have -- including experience in project management, network design, security, wireless communications and Wi-Fi technologies and devices -- in testing the security of government systems and identifying security vulnerabilities. The request for proposals also lists many professional certifications it would like for the contractor to have.
©2017 The Frederick News-Post (Frederick, Md.), distributed by Tribune Content Agency, LLC.
