Public school board drafts new cyber security policy

To strengthen cyber security within the public school board a new policy is being created and those who violate it could face consequences. 

The data governance and security policy is in its draft phase and at the policy and priorities committee on Tuesday it is being recommended to go out for public consultation.

Its policy development plan was approved in June by the Upper Grand District School Board.

The reason it’s being created is so the board can meet its obligations under the provincial government’s Enhancing Digital Security and Trust Act.

The policy applies to anyone – including students – who creates, distributes, accesses or manages board data through the UGDSB’s information systems. This includes corporate or personal computers, networks and communication services.

The board has a right to audit, investigate, monitor board accounts and conduct e-discovery. E-discovery means to identify electronically stored information in a response to an investigation.

“Individuals should not expect privacy when using board technology services,” read the draft policy report.

To ensure personal documents and communication stay private it suggests people use their personal accounts and devices in those instances.

When there are violations of the policy actions may be taken. This includes partial or full account suspension of those involved. Hardware or data access may be confiscated so relevant files to an investigation can be preserved.

There could be disciplinary measures that can include dismissal. Legal action may also take place. Activities of a criminal nature will be turned over to police if deemed necessary.

When it comes to students the board said it will implement a vetting program where it examines digital tools students are able to use.

Risk assessments of digital technologies include artificial intelligence. These assessments identify risks and mitigates controls before the technologies are adopted by the board.

Cyber security is embedded in the policy and part of this includes implementing a cyber security program. The board at minimum provides annual cyber security training for staff and trustees.

“UGDSB recognizes that even with appropriate training, security controls and technologies, a cyber incident is still possible when faced with a determined, well-funded adversary,” stated in the report.

The board has created a cyber incident response plan so it’s prepared in case of a cyber incident. It outlines the responsibilities of those involved in the board’s response to a cyber incident and identifies reporting requirements. 

If the draft policy is approved to go out for public consultation at a future board meeting then it will be released for public feedback for 30 days.