7 Miss. Code. R. 3-55.1 - Office of Technology and Strategic Services
The Office of Technology and Strategic Services (OTSS) is to support the strategic mission and vision of the State Board of Education (SBE). To accomplish the support of the strategic mission and vision, OTSS will implement and support sound governance, a secure and stable infrastructure, reliable systems and applications, and quality data controlled within the Mississippi Department of Education (MDE). The MDE is committed to compliance with federal and state laws regarding data security and privacy.
1. The OTSS's broad, operational
responsibilities, the SBE charges OTSS with:
a. Validating and managing data, documenting
and managing data definitions, establishing and supporting workflow processes,
and implementing and managing business rules established by Program Offices,
state, and federal law for all data that is submitted to or collected by the
MDE;
b. Managing all information
technology resources, including physical, virtual, and cloud;
c. Ensuring the availability and integrity of
systems and applications managed by the MDE;
d. Securing networks, systems, and data,
including monitoring and mitigating against threats;
e. Granting access to information technology
systems, applications, data, and reports to appropriate users;
f. Managing database and data flows,
analyzing data, and generating reports;
g. Adhering to information technology best
practices, and state and/or federal mandates and guidelines regarding the
collection, storage, and disclosure of personally identifiable information
(PII) of students, educators, parents, and MDE personnel.
2. The OTSS's specific responsibilities
related to security, privacy, and governance, the SBE charges OTSS with:
a. Staffing OTSS leadership positions with
specific security, privacy and governance responsibilities;
b. Establishing and supporting an agency-wide
data governance program;
c.
Developing and administering internal policies and procedures necessary to
ensure security and privacy;
d.
Providing mandatory security, privacy and governance training to all MDE
personnel
e. Developing and
ensuring compliance with policies and procedures necessary to monitor, manage
and mitigate security and privacy risks;
f. Regularly reporting on the security and
privacy posture and status of the MDE to the State Superintendent of Public
Education;
g. Sharing with public
school districts information technology best practices, and state and/or
federal mandates and guidelines regarding the collection, storage, and
disclosure of personally identifiable information (PII) of students, educators,
parents, and MDE personnel.
3. The following terms shall have the
meanings ascribed to them in this section unless the context otherwise
requires:
a. "Authorized User" is a consumer
of information technology and data that has been entrusted access based on the
principal of least privilege to perform a function for the MDE.
b. "Building consensus" is the mediation of a
conflict involving many parties.
c.
"Business Analyst" is a person who performs analysis of an information system's
requirements, functions, and interdependencies used to characterize system
contingency requirements and priorities in the event of significant
disruption.
d. "Change Management"
is the process of regulating and approving changes to hardware, firmware,
software, and documentation throughout the development and operational life
cycle of an information system.
e.
"Data" is the raw un-synthesized facts and statistics collected for reference
or analysis.
f. "Data Steward" is
the program office designee who is responsible for determining how data are
defined, collected, audited, and reported to meet the program office and agency
requirements.
g. "Escalating
issues" is the act of bringing an item that has stalled in the resolution
process to the attention of the person(s) who have the ability to direct a
resolution path.
h. "Executive
Leadership Team (ELT)" is the leadership team composed of the State
Superintendent of Public Education and his/her division chiefs and designated
leaders.
i. "Governance" is the
agency-wide structure and processes for collaborative decision-making and
management of the MDE data assets to improve quality and use, while enhancing
security and privacy protections.
j. "Incident" is an occurrence that
potentially jeopardizes the confidentiality, integrity, or availability of an
information system or the information the system processes, stores, or
transmits or that constitutes a violation or imminent threat of violation of
security policies, security procedures, or acceptable use policies.
k. "Information" is the synthesized data that
is a representation of knowledge useful for analysis.
l. "Information Technology" are systems for
creating, consuming, transmitting, or storing information or data.
m."Local Education Agency (LEA)" are
districts within the state that are governed by the MDE.
n. "Mitigation" is the action of reducing the
severity, seriousness, or damaging effects of risk or incident.
o. "The Principal of Least Privilege (POLP)"
is providing access limited to the minimum rights and permissions an authorized
user requires to perform their assigned function.
p. "Personally, Identifiable Information
(PII)" is the information or data that could be combined to positively identify
an individual (i.e. name, address, SSN)
q. "Risk" is a measure of the extent to which
an entity is threatened by a potential circumstance or event.
r. "Systems" are a discrete set of
information resources organized for the collection, processing, maintenance,
use, sharing, dissemination, or disposition of information.
s. "Threat" is any circumstance or event with
the potential to adversely impact the MDE.
4. The OTSS leadership positions with
specific security, privacy, and governance responsibilities:
a. The MDE Chief Information Officer (CIO)
will have leadership responsibility for - and shall be dedicated to - the daily
management and long-range vision and strategies of OTSS. This employee shall be
charged with the following responsibilities, including but not limited to:
i. Ensuring OTSS' goals and strategies
support and further the Goals of the SBE Strategic Plan;
ii. Providing strategic leadership to the
MDE's information technology and data endeavors;
iii. Ensuring that OTSS is appropriately
staffed with dedicated and qualified professionals to achieve the Goals of the
SBE Strategic Plan;
iv.
Establishing and maintaining project management and change management over the
information technology and data of the MDE ;
v. Establishing and supporting data
governance within the MDE;
vi.
Serving as the signatory for all the MDE's purchases and contracts in relation
to information technology, operational technology, and data;
b. The OTSS Information Security
and Data Privacy Officer (ISO) shall be charged with the following
responsibilities, including, but not limited to:
i. Ensuring the security, privacy, and
governance of all data and information within the MDE, by establishing
agency-wide policies for sustaining, enhancing, and protecting the privacy and
confidentiality of the data;
ii.
Working with the Data Governance Committee to improve and support data security
and privacy through the Data Governance Policy;
iii. Investigating and reporting any
complaints of privacy violations, data breaches and/or cyber-attacks under
MDE's jurisdiction - as well as coordinating with the appropriate
authorities
iv. Identifying risks
and threats to the MDE's information systems and assist in remediation of these
risks in coordination with OTSS;
v.
Investigating and reporting issues of compliance - with this rule and with
other applicable data security and privacy laws - by the MDE;
vi. Monitoring and reporting on data
privacy, security, and governance training and compliance to the CIO and State
Superintendent of Public Education;
c. The OTSS Data Governance Manager shall be
charged with the following responsibilities, including, but not limited to:
i. Facilitating and coordinating the
development, implementation, and maintenance of the MDE Data Governance Program
to promote data quality, availability, usability, security, and privacy;
ii. Supporting the Data Governance
Committee chair, providing facilitation for and coordination among data
governance members and workgroups;
iii. Communicating with internal and external
data governance stakeholders - including building consensus, mediating
disputes, escalating issues, implementing resolutions, and anticipating agency
data issues and needs;
iv.
Coordinating with data stewards and business analysts to document and analyze
data processes and business rules - including engaging with various
stakeholders to ensure awareness, buy-in, and compliance with data quality,
security and privacy processes, and rules;
v. Coordinating the development and adoption
of key data governance artifacts - including data governance charter,
guidelines, and a data dictionary;
vi. Coordinating the development and adoption
of key data policies (See Section 6);
vii. Coordinating with the OTSS project
managers to ensure that the prioritized agenda and project plans for key data
governance artifacts and data policies are included in an agency-wide project
portfolio.
5. The OTSS shall establish and support the
agency-wide Data Governance program. This program shall be charged with the
following responsibilities:
a. The MDE Data
Governance program shall be implemented through the Data Governance Committee
(DGC) comprised of members representing program offices across the MDE. The
work of the DGC shall be authorized through the Data Governance Charter, as
approved by the State Superintendent of Public Education. The DGC shall develop
and promulgate processes, as well as rules and regulations governing the data
that shall apply to all program offices within the MDE.
b. The DGC shall establish policies and
processes to ensure that data collected by the MDE are stored, maintained, and
disseminated in a manner that protects the data integrity and security, as well
as the privacy of individuals involved. This includes specifying which data may
or may not be collected by the MDE, as well as oversight and responsibility for
ensuring the accuracy and validity of the Data Dictionary.
i. The MDE program offices shall provide
proposed changes to data collection no later than 30 days after SINE DIE.
Change requests submitted after the 30-day mark will be held over for the
future change request season unless otherwise approved by the State
Superintendent of Public Education or his/her designee.
ii. The DGC shall review and vote on all
proposed changes by or before the September committee meeting.
iii. The DGC shall publish the Data
Dictionary by December 1st in preparation for the
upcoming school year.
iv. The DGC
shall establish policies and processes to ensure that these annual deadlines
are met.
c. The DGC
shall prioritize and approve a set of internal policies, procedures, standards,
and guidelines - as well as a schedule for their development and implementation
- necessary to meet the security and privacy obligations of the MDE.
6. OTSS shall develop and maintain
internal policies, procedures, standards, and guidelines - approved by the DGC
in accordance with the agency's data governance process - that are consistent
with pertinent industry standards.
a.
Pertinent industry standards include
i. The
National Institute of Standards and Technology's (NIST) current Privacy
Framework.
ii. NIST's current
Cybersecurity Framework
iii.
NIST's current SP 800-171 Protecting Controlled Unclassified Information in
Nonfederal Systems and Organizations
iv. NIST's current FIPS- 200 Minimum Security
Requirements for Federal Information and Information Systems
v. Fed RAMP's current standards
b. OTSS shall review on at least a
biennial basis its internal policies, procedures, standards, and guidelines to
ensure consistent alignment with current industry standards.
c. To support LEAs, OTSS shall make available
guidance, best practices, and pertinent industry standards on the Information
Security and Data Privacy section of the MDE's website
d. OTSS shall encourage LEAs to develop and
implement internal policies, procedures, standards, and guidelines consistent
with pertinent industry standards.
7. In the event that an LEA becomes aware of
a cybersecurity risk or threat that may potentially impact the MDE, the State
Network Consortium, or other LEAs, the impacted LEA shall notify the MDE ISO
within 24 hours to ensure that the MDE is able to properly mitigate and
coordinate a response to the emerging risk or threat, including notifying other
LEAs.
8. The OTSS shall develop and
support MDE staff compliance with all policies and procedures necessary to
monitor, manage, and mitigate security and privacy risks. The CIO and ISO shall
provide mandatory annual security and privacy training, including, but not
limited to, security awareness and FERPA Compliance to all MDE employees. MDE
employee access to the MDE information technology and data shall be dependent
upon their compliance with training completion and adherence to security and
privacy policies, procedures, standards, and guidelines. Those who fail to
complete this training or to adhere to the security and awareness program may
be referred to ELT for termination of systems and network access and may be
subject to disciplinary action.
The OTSS shall develop and ensure compliance with policies and procedures necessary to monitor, manage and mitigate security and privacy risks.
9. The CIO shall
provide a quarterly report to the State Superintendent of Public Education
regarding the security and privacy posture and status of the MDE. This
quarterly report shall include at a minimum the following status on:
a. Audits and Mitigation
b. Incidents
c. Training
d. Upgrades and Enhancements
Source: Miss. Code Ann. §§ 25-53-1 through 25-53-25, § 25-53-201, § 25-61-1 et seq., § 37-1-3, § 37-3-5, § 37-151-9, § 75-24-29 et seq., MS ITS Enterprise Security Policy Miss. Admin. Code 36: 1 et seq., Every Student Succeeds Act (ESSA), Individuals with Disabilities Education Act (IDEA), Family Educational Rights and Privacy Act (FERPA), Richard B. Russell National School Lunch Act (NSLA), Children's Online Privacy Protection Act (COPPA), Protection of Pupil Rights Amendment (PPRA), Children's Internet Protection Act (CIPA), Federal Information Security Management Act of 2002 (FISMA), National Institute of Standards Technology (NIST), Federal Information Processing Standards 200 (FIPS)
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.