Rule 7-3-55.1 - Office of Technology and Strategic ServicesThe Office of Technology and Strategic Services (OTSS) is to support the strategic mission and vision of the State Board of Education (SBE). To accomplish the support of the strategic mission and vision, OTSS will implement and support sound governance, a secure and stable infrastructure, reliable systems and applications, and quality data controlled within the Mississippi Department of Education (MDE). The MDE is committed to compliance with federal and state laws regarding data security and privacy.
1. The OTSS's broad, operational responsibilities, the SBE charges OTSS with: a. Validating and managing data, documenting and managing data definitions, establishing and supporting workflow processes, and implementing and managing business rules established by Program Offices, state, and federal law for all data that is submitted to or collected by the MDE;b. Managing all information technology resources, including physical, virtual, and cloud;c. Ensuring the availability and integrity of systems and applications managed by the MDE;d. Securing networks, systems, and data, including monitoring and mitigating against threats;e. Granting access to information technology systems, applications, data, and reports to appropriate users;f. Managing database and data flows, analyzing data, and generating reports;g. Adhering to information technology best practices, and state and/or federal mandates and guidelines regarding the collection, storage, and disclosure of personally identifiable information (PII) of students, educators, parents, and MDE personnel.2. The OTSS's specific responsibilities related to security, privacy, and governance, the SBE charges OTSS with: a. Staffing OTSS leadership positions with specific security, privacy and governance responsibilities;b. Establishing and supporting an agency-wide data governance program;c. Developing and administering internal policies and procedures necessary to ensure security and privacy;d. Providing mandatory security, privacy and governance training to all MDE personnele. Developing and ensuring compliance with policies and procedures necessary to monitor, manage and mitigate security and privacy risks;f. Regularly reporting on the security and privacy posture and status of the MDE to the State Superintendent of Public Education;g. Sharing with public school districts information technology best practices, and state and/or federal mandates and guidelines regarding the collection, storage, and disclosure of personally identifiable information (PII) of students, educators, parents, and MDE personnel.3. The following terms shall have the meanings ascribed to them in this section unless the context otherwise requires:a. "Authorized User" is a consumer of information technology and data that has been entrusted access based on the principal of least privilege to perform a function for the MDE.b. "Building consensus" is the mediation of a conflict involving many parties.c. "Business Analyst" is a person who performs analysis of an information system's requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of significant disruption.d. "Change Management" is the process of regulating and approving changes to hardware, firmware, software, and documentation throughout the development and operational life cycle of an information system.e. "Data" is the raw un-synthesized facts and statistics collected for reference or analysis.f. "Data Steward" is the program office designee who is responsible for determining how data are defined, collected, audited, and reported to meet the program office and agency requirements.g. "Escalating issues" is the act of bringing an item that has stalled in the resolution process to the attention of the person(s) who have the ability to direct a resolution path.h. "Executive Leadership Team (ELT)" is the leadership team composed of the State Superintendent of Public Education and his/her division chiefs and designated leaders.i. "Governance" is the agency-wide structure and processes for collaborative decision-making and management of the MDE data assets to improve quality and use, while enhancing security and privacy protections.j. "Incident" is an occurrence that potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.k. "Information" is the synthesized data that is a representation of knowledge useful for analysis.l. "Information Technology" are systems for creating, consuming, transmitting, or storing information or data. m."Local Education Agency (LEA)" are districts within the state that are governed by the MDE.n. "Mitigation" is the action of reducing the severity, seriousness, or damaging effects of risk or incident.o. "The Principal of Least Privilege (POLP)" is providing access limited to the minimum rights and permissions an authorized user requires to perform their assigned function.p. "Personally, Identifiable Information (PII)" is the information or data that could be combined to positively identify an individual (i.e. name, address, SSN)q. "Risk" is a measure of the extent to which an entity is threatened by a potential circumstance or event.r. "Systems" are a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.s. "Threat" is any circumstance or event with the potential to adversely impact the MDE.4. The OTSS leadership positions with specific security, privacy, and governance responsibilities: a. The MDE Chief Information Officer (CIO) will have leadership responsibility for - and shall be dedicated to - the daily management and long-range vision and strategies of OTSS. This employee shall be charged with the following responsibilities, including but not limited to: i. Ensuring OTSS' goals and strategies support and further the Goals of the SBE Strategic Plan;ii. Providing strategic leadership to the MDE's information technology and data endeavors;iii. Ensuring that OTSS is appropriately staffed with dedicated and qualified professionals to achieve the Goals of the SBE Strategic Plan;iv. Establishing and maintaining project management and change management over the information technology and data of the MDE ;v. Establishing and supporting data governance within the MDE;vi. Serving as the signatory for all the MDE's purchases and contracts in relation to information technology, operational technology, and data;b. The OTSS Information Security and Data Privacy Officer (ISO) shall be charged with the following responsibilities, including, but not limited to: i. Ensuring the security, privacy, and governance of all data and information within the MDE, by establishing agency-wide policies for sustaining, enhancing, and protecting the privacy and confidentiality of the data;ii. Working with the Data Governance Committee to improve and support data security and privacy through the Data Governance Policy;iii. Investigating and reporting any complaints of privacy violations, data breaches and/or cyber-attacks under MDE's jurisdiction - as well as coordinating with the appropriate authorities iv. Identifying risks and threats to the MDE's information systems and assist in remediation of these risks in coordination with OTSS;v. Investigating and reporting issues of compliance - with this rule and with other applicable data security and privacy laws - by the MDE; vi. Monitoring and reporting on data privacy, security, and governance training and compliance to the CIO and State Superintendent of Public Education;c. The OTSS Data Governance Manager shall be charged with the following responsibilities, including, but not limited to: i. Facilitating and coordinating the development, implementation, and maintenance of the MDE Data Governance Program to promote data quality, availability, usability, security, and privacy; ii. Supporting the Data Governance Committee chair, providing facilitation for and coordination among data governance members and workgroups; iii. Communicating with internal and external data governance stakeholders - including building consensus, mediating disputes, escalating issues, implementing resolutions, and anticipating agency data issues and needs; iv. Coordinating with data stewards and business analysts to document and analyze data processes and business rules - including engaging with various stakeholders to ensure awareness, buy-in, and compliance with data quality, security and privacy processes, and rules; v. Coordinating the development and adoption of key data governance artifacts - including data governance charter, guidelines, and a data dictionary; vi. Coordinating the development and adoption of key data policies (See Section 6); vii. Coordinating with the OTSS project managers to ensure that the prioritized agenda and project plans for key data governance artifacts and data policies are included in an agency-wide project portfolio. 5. The OTSS shall establish and support the agency-wide Data Governance program. This program shall be charged with the following responsibilities: a. The MDE Data Governance program shall be implemented through the Data Governance Committee (DGC) comprised of members representing program offices across the MDE. The work of the DGC shall be authorized through the Data Governance Charter, as approved by the State Superintendent of Public Education. The DGC shall develop and promulgate processes, as well as rules and regulations governing the data that shall apply to all program offices within the MDE.b. The DGC shall establish policies and processes to ensure that data collected by the MDE are stored, maintained, and disseminated in a manner that protects the data integrity and security, as well as the privacy of individuals involved. This includes specifying which data may or may not be collected by the MDE, as well as oversight and responsibility for ensuring the accuracy and validity of the Data Dictionary. i. The MDE program offices shall provide proposed changes to data collection no later than 30 days after SINE DIE. Change requests submitted after the 30-day mark will be held over for the future change request season unless otherwise approved by the State Superintendent of Public Education or his/her designee.ii. The DGC shall review and vote on all proposed changes by or before the September committee meeting. iii. The DGC shall publish the Data Dictionary by December 1st in preparation for the upcoming school year.iv. The DGC shall establish policies and processes to ensure that these annual deadlines are met.c. The DGC shall prioritize and approve a set of internal policies, procedures, standards, and guidelines - as well as a schedule for their development and implementation - necessary to meet the security and privacy obligations of the MDE.6. OTSS shall develop and maintain internal policies, procedures, standards, and guidelines - approved by the DGC in accordance with the agency's data governance process - that are consistent with pertinent industry standards. a. Pertinent industry standards includei. The National Institute of Standards and Technology's (NIST) current Privacy Framework. ii. NIST's current Cybersecurity Framework iii. NIST's current SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizationsiv. NIST's current FIPS- 200 Minimum Security Requirements for Federal Information and Information Systemsv. Fed RAMP's current standardsb. OTSS shall review on at least a biennial basis its internal policies, procedures, standards, and guidelines to ensure consistent alignment with current industry standards.c. To support LEAs, OTSS shall make available guidance, best practices, and pertinent industry standards on the Information Security and Data Privacy section of the MDE's websited. OTSS shall encourage LEAs to develop and implement internal policies, procedures, standards, and guidelines consistent with pertinent industry standards.7. In the event that an LEA becomes aware of a cybersecurity risk or threat that may potentially impact the MDE, the State Network Consortium, or other LEAs, the impacted LEA shall notify the MDE ISO within 24 hours to ensure that the MDE is able to properly mitigate and coordinate a response to the emerging risk or threat, including notifying other LEAs.8. The OTSS shall develop and support MDE staff compliance with all policies and procedures necessary to monitor, manage, and mitigate security and privacy risks. The CIO and ISO shall provide mandatory annual security and privacy training, including, but not limited to, security awareness and FERPA Compliance to all MDE employees. MDE employee access to the MDE information technology and data shall be dependent upon their compliance with training completion and adherence to security and privacy policies, procedures, standards, and guidelines. Those who fail to complete this training or to adhere to the security and awareness program may be referred to ELT for termination of systems and network access and may be subject to disciplinary action. The OTSS shall develop and ensure compliance with policies and procedures necessary to monitor, manage and mitigate security and privacy risks.
9. The CIO shall provide a quarterly report to the State Superintendent of Public Education regarding the security and privacy posture and status of the MDE. This quarterly report shall include at a minimum the following status on: d. Upgrades and Enhancements Source: Miss. Code Ann. §§ 25-53-1 through 25-53-25, § 25-53-201, § 25-61-1et seq., § 37-1-3, § 37-3-5, § 37-151-9, § 75-24-29et seq., MS ITS Enterprise Security Policy Miss. Admin. Code 36: 1 et seq., Every Student Succeeds Act (ESSA), Individuals with Disabilities Education Act (IDEA), Family Educational Rights and Privacy Act (FERPA), Richard B. Russell National School Lunch Act (NSLA), Children's Online Privacy Protection Act (COPPA), Protection of Pupil Rights Amendment (PPRA), Children's Internet Protection Act (CIPA), Federal Information Security Management Act of 2002 (FISMA), National Institute of Standards Technology (NIST), Federal Information Processing Standards 200 (FIPS)
Federal Information Security Management Act of 2002 (FISMA), National Institute of Standards Technology (NIST), Federal Information Processing Standards 200 (FIPS) The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. §1232 g; 34 CFR Part 99) No Child Left Behind Act of 2001, The Individuals with Disabilities Education Improvement Act of 2004 (IDEA) 34CFR 300.560 - 300.577, The U.S. Department of Agriculture - Use of Free and Reduced Price Meal, Eligibility Information Nondiscrimination or Identification of Recipients, 42USC 1758(b)(2)(C)(iii), Richard B Russell National School Lunch Act (42U.S.C. 1751 et seq.) The Child Nutrition Act of 1966 (42 U.S.C. 1771 et seq.), Miss. Code Ann. § 37-1-3, 37-3-5, § 37-151-9, § 25-53-1 to § 25-53-25