The California Department of Education (CDE) is requesting that all California Partnership Academy Annual Report (CAPAAR) users review the following material and agree to the information security conditions. This document contains important information concerning system security and provides examples of behaviors that are recommended to protect the privacy and confidentiality of student and program information. We appreciate your cooperation and request that you review all materials prior to accessing the system.
All local educational agency (LEA) representatives that are authorized to access CAPAAR will see the following language upon each log on and will be asked to check the box indicating that they agree to the terms and conditions set forth in this document:
NOTICE — You are about to access the CAPAAR computer system of CDE. This system is intended for authorized users only. Unauthorized access to or use of this system, or any information therein, is strictly prohibited by Department policy, the CAPAAR Rules of Behavior Agreement, and applicable state and federal laws. Unauthorized access to this system, and/or unauthorized use of information from this system may result in civil and/or criminal penalties under applicable state and federal laws.
By using this system, you are acknowledging and agreeing that all information concerning your access to this system, including but not limited to any information entered, stored, or retrieved by you, may be monitored, retrieved, and/or disclosed by authorized personnel, including authorized network administrators and CDE personnel, for any lawful purpose, including but not limited to criminal prosecution.
System CAPAAR is a CDE information system for official use only. The security topics addressed in this document provide security information specific to the CAPAAR system. It is important that you read through the entire text.
Local Educational Agency CAPAAR Administrator Guidelines and Application
CAPAAR security controls are implemented to protect the information processed and stored within the system.
Specifically, these controls settings are designed to:
- Protect the privacy and confidentiality of the system information.
- Ensure only authorized users access the system.
- Ensure users are uniquely identified when using the system.
- Connect actions taken within the system to a specific user.
- Ensure users only have access to perform the actions required by CDE.
- Ensure CAPAAR information is not inappropriately released.
- Ensure CAPAAR is available to authorized users when needed.
User credentials are the control mechanism by which CAPAAR identifies and verifies users. These are your user ID and password.
User IDs uniquely identify each CAPAAR user and allow the CDE CAPAAR Administrators to attribute actions taken within the system to a specific user. This tracking is important in enforcing accountability within the system. The recommended User ID for LEA Administrators will be created by the CDE CAPAAR Operations Office and will be provided to authorized users prior to initial use of the CAPAAR system.
It is important for you to comply with the following rules governing user credentials:
- Protect your logon credentials at all times.
- Never share your user ID and/or password with anyone.
- Avoid writing your password down (however, if you need to write your password down you must keep this information in a secure area).
- Avoid using the “remember password” feature in your local operating system.
- User accounts are disabled after three (3) consecutive invalid attempts are made to supply a password.
- Reinstatement of a disabled password or user account can only be reinstated by the CDE CAPAAR Administrator.
Protection of CAPAAR Information
You are required to protect CAPAAR information in any form. This includes information contained on printed reports, data downloaded onto computers and computer media (e.g., diskettes, tapes, compact discs, thumb drives, etc.), user computer monitors, or any other format.
In order to ensure protection of CAPAAR information, please consider the following guidelines:
- Log out of CAPAAR if you are going to be away from your computer.
- Log out of CAPAAR or lock your computer before you leave it unattended (e.g., use the < Ctrl > < Alt > < Delete > key sequence when leaving your PC workstation).
- Media (including reports) containing CAPAAR information should be removed from your desktops when you are away from your desk.
- Store media containing CAPAAR information in a locked container (e.g. desk drawer) during non-business hours.
- Store digital information in an encrypted format where technically possible.
- Non-essential media containing CAPAAR information should be properly cleansed or destroyed.
- Shred paper media and compact discs prior to disposal.
- Diskettes and other magnetic media should be cleansed using appropriate software or a magnetic field with sufficient strength so as to make the information unreadable.
- Note that simply deleting files from magnetic media does not remove the information from the media.
- Media containing encrypted information can be excluded from the cleansing process, although it is recommended.
- Do not disclose CAPAAR information to any individual without a “need-to-know” for the information in the course of their business.
Other Security Issues
This section describes some additional security items of which you should be aware.
- Snooping—Snooping is when a user has legitimate access to a system but accesses data outside of the course of performing his/her job duties. Snooping should be avoided. For example, you may be responsible for entering and updating Statewide Student Identifiers (SSID’s) but have access to assessment records. Snooping occurs if you view assessment records for a particular student and obtain information that is not relevant to your assigned job responsibilities. If you have access to more information than what is necessary to perform your job duties, please notify your user Administrator to make the appropriate modifications to your user account.
- Shoulder Surfing—Shoulder surfing is using direct observation techniques, such as looking over someone’s shoulder, to get information. An example of shoulder surfing is when a person looks over someone else’s shoulder while they are entering a password for a system to covertly acquire that password. To protect against this, be aware of your surroundings and prevent the accidental disclosure of information when entering your password or viewing information on your computer monitor.
- Social Engineering—Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. For example, a typical social engineering attack scenario is a hacker posing as an authorized user calling a system service desk posing as that user. The hacker, through trickery, coercion, or simply being nice coaxes the service desk technician into providing the login credentials for the user he is claiming to be. The hacker then gains unauthorized access to the system using an authorized user’s credentials. To defeat social engineering, never provide credentials or confidential information.
- Faxing—When faxing CAPAAR information, call the recipient of the fax and let them know it is coming. Ask them to go to the fax machine so they can pull it off right away so any sensitive information is not left lying around the office.
- Virus Scanning and Patching—Maintain current operating system patches and virus definitions to protect your computer. Scan documents or files downloaded to your computer from the Internet for viruses and other malicious code. Virus scanning software should also be used on e-mail attachments.