TECHNOLOGY INTEGRATION STANDARDS
As part of its responsibilities outlined in the FCS Information Security Policy and Procedure manual, the Technology Services department has developed the following technical standards to which all FCS personnel are expected to follow. These standards were developed with security and safety of all FCS staff and students in mind, along with obligations from applicable state and federal laws.
Any NEW hardware, software, and/or service – including all web-based resources – must be approved prior to testing and/or purchase. The approval process consists of a security review, compatibility assessment, and evaluation for data privacy compliance. All requests for review should be received well in-advance of the expected implementation date. [NOTE: We will post a link to the request form once it is formally approved. Until the link is provided, please submit a technology service ticket for this request.]
All existing hardware, software, and services are subject to re-evaluation to ensure they meet FCS security and privacy standards. Should a re-evaluation indicate an issue with an existing item, Technology Services will communicate the risk with the owner and inform them of what steps may be taken to comply with the standards.
Re-evaluations may include, though not be limited by, the standards listed below:
- The end-of-life (EOL) and/or end-of-support (EOS) date of the item. Items more than one
(1) year past the last available security patch will not be allowed to connect to any trusted FCS resource. Examples of this are printers, cameras, and projectors.
- The threat surface of the item. If an in-use product is found to have an unacceptable threat surface (meaning that it poses an immediate risk to FCS resources), it may be removed/disabled until such time as the risk has been mitigated. A potential example of this is software that collects student data in a manner inconsistent with FERPA guidance.
- Product misuse. If an approved product is found to be used in a manner contrary to its intended purpose and approval, it may be removed/disabled until compliance can be confirmed.
- Dependence on a deprecating resource. If an item requires the use of another resource that is scheduled for retirement, the item(s) may be unavailable until such time as the dependence on that resource can be removed. An example of this would be a resource that connects to an FCS database service that can no longer be supported due to lack of security support.
- A new version is released. If a vendor substantially updates its product, it may be necessary to re-evaluate it to ensure it maintains compliance with FCS security and privacy standards.
- Unsanctioned software/hardware. If unsanctioned items are discovered to be used by FCS personnel and/or used on the trusted network, access may be restricted until such time as compliance can be ensured. An example of this would be smart speakers – they violate many data privacy laws and cannot be used in any capacity within FCS.
- Duplication of a sanctioned service. If the item duplicates a pre-existing and sanctioned service, owner may be required to utilize approved service at the natural end of the contract of the unsanctioned service. If no contract is active, the shift to the sanctioned service must occur no later than the beginning of the upcoming fiscal year.
Though Technology Services will make a reasonable effort to notify owners of any non- compliant items, it is the sole responsibility of the item owner to stay informed and ensure compliance. Additionally, unless otherwise agreed, it is the responsibility of the owner to replace non-complying item(s).