Citizen Portal
Sign In

Committee approves information-security policy after IT briefing

3623800 · May 13, 2025
Article hero
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

Waukesha School District policy committee approved policy 8305 on information security 5-0 after a briefing from the district chief information officer about incident response, tabletop exercises and recent defensive measures.

The Waukesha School District Policy & Government Relations Committee approved a revised information-security policy (policy 8305) after a detailed briefing by the district’s chief information officer.

Committee member Missus White moved to approve the policy as presented with two grammatical edits; the motion was seconded by Mister Brooks and passed 5-0.

The vote followed a presentation by Mister Schloman, the district’s chief information officer, who described the district’s cyber incident response plan, plans for a tabletop exercise this summer, and operational changes the district has made to reduce risk. "We do have a cyber incident response plan," Schloman said, adding that the district has been coordinating with federal and state resources and plans a simulated incident this summer that will include cabinet, IT and communications staff.

Schloman told the committee the district has upgraded its network capacity and defensive tools. He said the district upgraded its Internet connection from 1 gig to 10 gig, which he said allows the network to absorb typical distributed denial-of-service traffic without a major outage. "We typically run, on an average day, about 2 to 3 gig of throughput. So with our 10-gig ceiling, we can absorb a DDoS attack of 2 or 3 gig and not feel it," Schloman said. He also said the district has had no data breaches since his tenure began.

On remote access, Schloman said the district moved away from a VPN model and now requires staff who work offsite to log into a cloud-based virtual desktop hosted in Microsoft Azure. That virtual desktop, he said, restricts what applications are available and reduces exposure from untrusted local machines. He also said the district has implemented single sign-on so accounts can be disabled centrally when an employee leaves.

Committee members asked about vetting for staff with elevated access, frequency of vulnerability scans, phishing simulations and whether the district conducts disaster-recovery exercises. Schloman said HR performs background checks and that the IT department limits access to systems by role and documents access needs. He said the district receives an external vulnerability scan weekly (reports delivered every Monday) and runs internal scans continuously. On phishing tests, Schloman said the district did not run simulated phishing this year but plans to resume a lighter-weight program next year.

Dr. Seibert, who presented the policy along with Schloman, said some policy language was intentionally limited because disclosing certain technical details could hinder response to incidents. Committee members discussed referencing policy 8300 (continuity of organizational operations) for cadence and noted that 8300 specifies a three-year policy review cadence; Schloman said the IT team intends to review some cyber-related plans at least annually and to fold cyber tabletop exercises into broader continuity planning.

The policy approved by the committee updates definitions and policy titles, removes references to absent administrative guidelines, and ties the district’s risk-assessment work to the continuity plan. The motion to approve passed 5-0.

No additional changes to the substantive security requirements were made at the meeting, and the committee asked staff to consider whether a consolidated technology policy would make cross-references easier to find.