Policy Management 
    
    Nov 21, 2024  
Policy Management
Add to Personal Catalog (opens a new window)

IT 1.0 - Information Technology Security Policy :


SUMMARY/SCOPE
For the purposes of the Edmonds College (EC) Information Technology Security Policy, security is defined as the ability:

  • To protect the integrity, availability, and confidentiality of information assets managed by EC,
  • To protect those information assets from unauthorized release, modification, accidental or intentional damage or destruction,
  • To protect technology assets (infrastructure) from unauthorized use.

The scope of this policy includes the security of Information Technology (IT) facilities, data, off-site data storage, computing and telecommunications equipment, application-related services purchased from other state agencies or commercial concerns, and Internet-related applications and connectivity.

This policy applies to the EC facilities or contracted hosting services, and to the services provided to the EC employees and students.

DESCRIPTION
Statutory Authority: This local policy aligns our institution with the state Chapter 43.105 RCW for CONSOLIDATED TECHNOLOGY SERVICES AGENCY whereby Higher Education will become compliant with the Standards and Policies of the Washington State Office of the Chief Information Officer and as stated in RCW 43.41A.010.

 

It is the IT Security Policy of Edmonds College that:

Edmonds College shall operate in a manner consistent with the goals of the Office of the Chief Information Officer (OCIO) IT Security Policies and Standards to maintain the protection of sensitive data and business transactions. Edmonds College shall provide secure business applications, infrastructures, and procedures for addressing the business needs of the member colleges. Furthermore, Edmonds College will provide services with the following principles in mind, to promote the shared security of the system:

  1. Edmonds College shall develop and follow security standards for securing workstations, servers, telecommunications, and data access within its network;
  2. Edmonds College shall assure that appropriate security standards are considered and met when developing or purchasing application systems or data access tools;
  3. Edmonds College shall recognize and support the necessity of authenticating external parties needing access to sensitive information and applications;
  4. Edmonds College shall follow security standards established for creating secure sessions for application access. All enterprise and multi-user applications will require access controls appropriate to the classification of data within the application. Any change, addition, and/or modification to configuration or setting within an enterprise or multi-user application must be approved and/or tracked per established standard;
  5. Edmonds College will ensure all employees understand the importance of IT security. Technical staff will receive training commensurate with their job responsibilities. Furthermore, background checks will be performed as part of the hiring process for any full time IT employee per Edmonds College hiring procedure, as it is possible for any full-time IT employee to have unrestricted access to highly confidential information. Any individual found to have been convicted of a crime related to the theft of information may not be eligible for employment in any IT department. Employment eligibility related to any other crime will be at the discretion of the hiring administrator and Vice President for Human Resources and Operations;
  6. Edmonds College IT security standards and procedures are in place to facilitate compliance with this Edmonds College IT Security Policy and to prevent inappropriate and unauthorized use of Edmonds College technical resources. System Administrators are expected to be familiar with all standards and policies related to those matters.
  7. Edmonds College will review its IT security standards, procedures, and practices annually and make appropriate updates after any significant change to its business, computing, or telecommunications environment;
  8. Edmonds College will conduct a compliance audit of its IT Security Policy and Standards once every three years. Knowledgeable parties independent of Edmonds College’s IT staff, such as the State Auditor, must perform the audit. The work shall follow audit standards developed and published by the State Auditor. The State Auditor’s office may determine an earlier audit of some or all of Edmonds College’s IT processing if warranted, in which case they will proceed under their existing authority. The nature and scope of the audit must be commensurate with the extent that Edmonds College is dependent on secure IT to accomplish its critical business functions. Edmonds College will maintain documentation showing the results of its review or audit and the plan for correcting material deficiencies revealed by the review or audit. To the extent that the audit documentation includes valuable formulae, designs, drawings, computer source codes, object codes or research data, or that disclosure of the audit documentation would be contrary to the public interest and would irreparably damage vital governmental functions, such audit documentation is exempt from public disclosure. See RCW 42.56.210 and RCW 42.56.540;
  9. The Edmonds College President is responsible for the oversight of Edmonds College’s IT security and will confirm in writing, when requested, that the agency is in compliance with this policy. The annual security verification letter will be submitted to the Office of the Chief Information Officer (OCIO,) as required. The verification indicates review and acceptance of Edmonds College security processes, procedures, and practices as well as updates to them since the last approval;
  10. The State Auditor may audit Edmonds College IT security processes, procedures, and practices, pursuant to RCW 43.88.160 for compliance with this and OCIO IT Security Policy and Standards; and
  11. The Edmonds College IT security standards and practices contain information that may be confidential or private regarding the Edmonds College business, communications, and computing operations or employees. Persons responsible for distribution of these documents should consider the sensitive nature of the information as well as the related statutory exemptions from public disclosure See RCW 42.56.210 and RCW 42.56.540.


GLOSSARY TERMS
OCIO - Office of the Chief Information Officer

SOURCE INFORMATION
Chapter 43.105 RCW

RCW 43.41A.010

RCW 42.56.210

RCW 42.56.540

RCW 43.88.160

 

 

CONTENT OWNER. The primary responsibility for this policy belongs to:
Chief Information Officer

PRIMARY CONTENT CONTRIBUTOR (Director/Dean)
Chief Information Officer

REVIEW PERIOD
Three years.

REVIEW HISTORY
2021-Oct 21  Amended to update content owner and contributor, leadership reference

2016-Dec 12 Review and update, changed ISB to reference OCI. Approved by President’s Cabinet. 

2009-Jul 14 Added IT background checks and changed DIS references to ISB.

2005-Apr 05 Accepted by President’s Cabinet

2003-Jul 10 Final Draft

 



Add to Personal Catalog (opens a new window)