IT 1.0 - Information Technology Security Policy :
For the purposes of the Edmonds Community College (Edmonds CC) Information Technology Security Policy, security is defined as the ability:
- To protect the integrity, availability, and confidentiality of information assets managed by Edmonds CC,
- To protect those information assets from unauthorized release, modification, accidental or intentional damage or destruction,
- To protect technology assets (infrastructure) from unauthorized use.
The scope of this policy includes the security of Information Technology (IT) facilities, data, off-site data storage, computing and telecommunications equipment, application related services purchased from other state agencies or commercial concerns, and Internet-related applications and connectivity.
This policy applies to the Edmonds CC facilities or contracted hosting services, and to the services provided to the Edmonds CC employees and students.
Statutory Authority: This local policy aligns our institution with the state Chapter 43.105 RCW for CONSOLIDATED TECHNOLOGY SERVICES AGENCY whereby Higher Education will become compliant with the Standards and Policies of the Washington State Office of the Chief Information Officer and as stated in RCW 43.41A.010.
It is the IT Security Policy of Edmonds CC that:
Edmonds CC shall operate in a manner consistent with the goals of the Office of the Chief Information Officer (OCIO) IT Security Policies and Standards to maintain the protection of sensitive data and business transactions. Edmonds CC shall provide secure business applications, infrastructures, and procedures for addressing the business needs of the member colleges. Furthermore, Edmonds CC will provide services with the following principles in mind, to promote the shared security of the system:
- Edmonds CC shall develop and follow security standards for securing workstations, servers, telecommunications, and data access within its network;
- Edmonds CC shall assure that appropriate security standards are considered and met when developing or purchasing application systems or data access tools;
- Edmonds CC shall recognize and support the necessity of authenticating external parties needing access to sensitive information and applications;
- Edmonds CC shall follow security standards established for creating secure sessions for application access. All enterprise and multi-user applications will require access controls appropriate to the classification of data within the application. Any change, addition, and/or modification to configuration or setting within an enterprise or multi-user application must be approved and/or tracked per established standard;
- Edmonds CC will ensure all employees understand the importance of IT security. Technical staff will receive training commensurate with their job responsibilities. Furthermore, background checks will be performed as part of the hiring process for any full time IT employee per Edmonds CC hiring procedure, as it is possible for any full-time IT employee to have unrestricted access to highly confidential information. Any individual found to have been convicted of a crime related to the theft of information may not be eligible for employment in any IT department. Employment eligibility related to any other crime will be at the discretion of the hiring administrator and Associate VP of Human Resources;
- Edmonds CC IT security standards and procedures are in place to facilitate compliance with this Edmonds CC IT Security Policy and to prevent inappropriate and unauthorized use of Edmonds CC technical resources. System Administrators are expected to be familiar with all standards and policies related to those matters.
- Edmonds CC will review its IT security standards, procedures, and practices annually and make appropriate updates after any significant change to its business, computing, or telecommunications environment;
- Edmonds CC will conduct a compliance audit of its IT Security Policy and Standards once every three years. Knowledgeable parties independent of Edmonds CC’s IT staff, such as the State Auditor, must perform the audit. The work shall follow audit standards developed and published by the State Auditor. The State Auditor’s office may determine an earlier audit of some or all of Edmonds CC’s IT processing if warranted, in which case they will proceed under their existing authority. The nature and scope of the audit must be commensurate with the extent that Edmonds CC is dependent on secure IT to accomplish its critical business functions. Edmonds CC will maintain documentation showing the results of its review or audit and the plan for correcting material deficiencies revealed by the review or audit. To the extent that the audit documentation includes valuable formulae, designs, drawings, computer source codes, object codes or research data, or that disclosure of the audit documentation would be contrary to the public interest and would irreparably damage vital governmental functions, such audit documentation is exempt from public disclosure. See RCW 42.56.210 and RCW 42.56.540;
- The Edmonds CC President is responsible for the oversight of Edmonds CC’s IT security and will confirm in writing, when requested, that the agency is in compliance with this policy. The annual security verification letter will be submitted to the Office of the Chief Information Officer (OCIO,) as required. The verification indicates review and acceptance of Edmonds CC security processes, procedures, and practices as well as updates to them since the last approval;
- The State Auditor may audit Edmonds CC IT security processes, procedures, and practices, pursuant to RCW 43.88.160 for compliance with this and OCIO IT Security Policy and Standards; and
- The Edmonds CC IT security standards and practices contain information that may be confidential or private regarding the Edmonds CC business, communications, and computing operations or employees. Persons responsible for distribution of these documents should consider the sensitive nature of the information as well as the related statutory exemptions from public disclosure See RCW 42.56.210 and RCW 42.56.540.
OCIO - Office of the Chief Information Officer
Chapter 43.105 RCW
CONTENT OWNER. The primary responsibility for this policy belongs to:
Vice President for Finance and Operations
PRIMARY CONTENT CONTRIBUTOR (Director/Dean)
Director of Information Technology & E-Learning
2016-Dec 12 Review and update, changed ISB to reference OCI. Approved by President’s Cabinet.
2009-Jul 14 Added IT background checks and changed DIS references to ISB.
2005-Apr 05 Accepted by President’s Cabinet
2003-Jul 10 Final Draft
[Add to Personal Catalog]