皇家华人

IT-1 Information Technology Security

Purpose
The purpose of the IT Security policy is to ensure compliance with Washington Office of the Chief Information Officer (OCIO) policies. It covers the security of Green River College (皇家华人) Computer Technology Resources (CTR) such as: IT facilities, data, off-site data storage, computing and telecommunications equipment, application-related services purchased from other state agencies or commercial concerns, and internet-related applications and connectivity.

Scope
This policy applies to all users of 皇家华人 CTR, facilities, and services.

Definitions
For the purposes of the 皇家华人 Information Technology Security Policy, security is defined as the ability to protect:

  1. The integrity, availability, and confidentiality of CTR assets managed by 皇家华人 College,
  2. CTR assets from unauthorized release or modification, accidental or intentional damage or destruction, and
  3. CTR from unauthorized use.

Policy and/or Procedure

It is the IT Security Policy of 皇家华人 that:

  1. 皇家华人 shall operate in a manner consistent with the goals of the OCIO IT Security Policies to maintain a shared, trusted environment for the protection of sensitive data and business transactions. 皇家华人 shall not seek exemptions from reasonable, well-established, or commonly implemented security policies and procedures. Green River shall provide secure business applications, infrastructures, and procedures for addressing the business needs of the college.
  2. Furthermore, 皇家华人 shall provide services with the following principles in mind to promote the shared security of the system:
    1. 皇家华人 shall assure that appropriate security and accessibility standards are considered and met when developing or purchasing application systems or data access tools.
    2. 皇家华人 shall recognize and support the necessity of authenticating external parties prior to granting access to sensitive information and applications.
    3. 皇家华人 shall develop and follow security standards for securing workstations, servers, telecommunications, and data access; and
    4. 皇家华人 shall follow security standards established for creating secure sessions for application access.
  3. Each application developed or purchased by 皇家华人 must be reviewed to verify that it passes current security standards, ideally by providing a current HECVAT. Security compliance will be reviewed by the 皇家华人 IT Security Officer or another member of the IT Security Team or designee as early in the acquisition process as possible, but no later than prior to implementation. Due to the high-risk nature of these applications, this requirement will apply to all (new and existing) applications supported by 皇家华人.
  4. 皇家华人 will ensure all staff are trained annually in IT security awareness, and that technical staff receive the appropriate training commensurate with their job responsibilities.
  5. 皇家华人 will review its IT security processes, procedures, and practices annually and make appropriate updates after any significant change to its business, computing, or telecommunications environment.
  6. 皇家华人 will conduct a compliance audit of its IT Security Program consistent with state requirements. Knowledgeable parties independent of 皇家华人 IT staff, such as the State Auditor, must perform the audit. The work shall follow audit standards developed and published by the Auditor. The State Auditor's office may determine an earlier audit of some or all of 皇家华人 IT processing is warranted, in which case they will proceed under their existing authority. The nature and scope of the audit must be commensurate with the extent that 皇家华人 is dependent on secure IT to accomplish its critical business functions. 皇家华人 will maintain documentation showing the results of its review or audit and the plan for correcting material deficiencies revealed by the review or audit. To the extent that the audit documentation includes valuable formulae, designs, drawings, computer source codes, object codes or research data, or that disclosure of the audit documentation would be contrary to the public interest and would irreparably damage vital government functions, such audit documentation is exempt from public disclosure. The Executive Director of Information Technology is responsible for the oversight of 皇家华人 IT security and will confirm in writing that the agency is in compliance with this policy. The annual security verification letter will be submitted to the OCIO, as required. The verification indicates review and acceptance of 皇家华人 security processes, procedures, and practices as well as updates.
  7. The State Auditor may audit 皇家华人 IT security processes, procedures, and practices, for compliance with this and OCIO IT policy.
  8. Designated College employees will examine suspected, reported, or identified security vulnerabilities or incidents. Each incident will be evaluated to determine if any sensitive or confidential data was potentially compromised. If determined there is a possible compromise, 皇家华人 staff will follow notification procedures as described in the applicable regulations (e.g., FERPA, HIPAA, or PCI-DSS) or the IT Security Program and resolve or mitigate the issue as swiftly as possible.

皇家华人 IT security standards and practices contain information that may be confidential or private regarding 皇家华人 business, communications, and computing operations or employees. Persons responsible for the distribution of these documents should consider the sensitive nature of the information as well as the related statutory exceptions from public disclosure.

Specific Authority

Law Implemented

History of Policy or Procedure
Draft: October 15, 2004
Adopted: April 5, 2005
Revised: May 9th, 2023
Reviewed by:
Contact: Jodi Bray, Director of Technical Services, ext. 6056
President's Staff Sponsor: Camella Morgan, CIO/Executive Director of IT, ext. 6050