IT-1 Information Technology Security

IT-1 Information Technology Security

Purpose
The purpose of the IT Security policy is to ensure compliance with Washington Office of the Chief Information Officer (OCIO) policies. It covers the security of Green River College (GRC) Computer Technology Resources (CTR) such as: IT facilities, data, off-site data storage, computing and telecommunications equipment, application-related services purchased from other state agencies or commercial concerns, and internet-related applications and connectivity.

Scope
This policy applies to all users of GRC CTR, facilities, and services.

Definitions
For the purposes of the Green River Information Technology Security Policy, security is defined as the ability to protect:

1. The integrity, availability, and confidentiality of CTR assets managed by Green River College,
2. CTR assets from unauthorized release or modification, accidental or intentional damage or destruction, and
3. CTR from unauthorized use.

Policy and/or Procedure

It is the IT Security Policy of Green River that:

1. Green River shall operate in a manner consistent with the goals of the OCIO IT Security Policies to maintain a shared, trusted environment for the protection of sensitive data and business transactions. Green River shall not seek exemptions from reasonable, well-established, or commonly implemented security policies and procedures. Green River shall provide secure business applications, infrastructures, and procedures for addressing the business needs of the college.
2. Furthermore, Green River shall provide services with the following principles in mind to promote the shared security of the system:
   1. Green River shall assure that appropriate security and accessibility standards are considered and met when developing or purchasing application systems or data access tools.
   2. Green River shall recognize and support the necessity of authenticating external parties prior to granting access to sensitive information and applications.
   3. Green River shall develop and follow security standards for securing workstations, servers, telecommunications, and data access; and
   4. Green River shall follow security standards established for creating secure sessions for application access.
3. Each application developed or purchased by Green River must be reviewed to verify that it passes current security standards, ideally by providing a current HECVAT. Security compliance will be reviewed by the Green River IT Security Officer or another member of the IT Security Team or designee as early in the acquisition process as possible, but no later than prior to implementation. Due to the high-risk nature of these applications, this requirement will apply to all (new and existing) applications supported by Green River.
4. Green River will ensure all staff are trained annually in IT security awareness, and that technical staff receive the appropriate training commensurate with their job responsibilities.
5. Green River will review its IT security processes, procedures, and practices annually and make appropriate updates after any significant change to its business, computing, or telecommunications environment.
6. Green River will conduct a compliance audit of its IT Security Program consistent with state requirements. Knowledgeable parties independent of Green River IT staff, such as the State Auditor, must perform the audit. The work shall follow audit standards developed and published by the Auditor. The State Auditor’s office may determine an earlier audit of some or all of Green River IT processing is warranted, in which case they will proceed under their existing authority. The nature and scope of the audit must be commensurate with the extent that Green River is dependent on secure IT to accomplish its critical business functions. Green River will maintain documentation showing the results of its review or audit and the plan for correcting material deficiencies revealed by the review or audit. To the extent that the audit documentation includes valuable formulae, designs, drawings, computer source codes, object codes or research data, or that disclosure of the audit documentation would be contrary to the public interest and would irreparably damage vital government functions, such audit documentation is exempt from public disclosure. The Executive Director of Information Technology is responsible for the oversight of Green River IT security and will confirm in writing that the agency is in compliance with this policy. The annual security verification letter will be submitted to the OCIO, as required. The verification indicates review and acceptance of Green River security processes, procedures, and practices as well as updates.
7. The State Auditor may audit Green River IT security processes, procedures, and practices, for compliance with this and OCIO IT policy.
8. Designated College employees will examine suspected, reported, or identified security vulnerabilities or incidents. Each incident will be evaluated to determine if any sensitive or confidential data was potentially compromised. If determined there is a possible compromise, GRC staff will follow notification procedures as described in the applicable regulations (e.g., FERPA, HIPAA, or PCI-DSS) or the IT Security Program and resolve or mitigate the issue as swiftly as possible.

Green River IT security standards and practices contain information that may be confidential or private regarding Green River business, communications, and computing operations or employees. Persons responsible for the distribution of these documents should consider the sensitive nature of the information as well as the related statutory exceptions from public disclosure.

Specific Authority

Law Implemented

History of Policy or Procedure
Draft: October 15, 2004
Adopted: April 5, 2005
Revised: May 9th, 2023
Reviewed by:
Contact: Jodi Bray, Director of Technical Services, ext. 6056
President’s Staff Sponsor: Camella Morgan, CIO/Executive Director of IT, ext. 6050