Highline College

Connect with Highline College

Campus will be open on Thursday, November 21, and all classes and operations will return to normal.

IT Security Policy

Home/IT Security/IT Security Policy
IT Security Policy 2024-04-10T15:17:45+00:00

Highline College IT Security Policy

Executive Summary

  • An information security policy is designed to protect information resources from a wide range of threats, to ensure business continuity and minimize business risk.
  • Information resource security is achieved by implementing applicable policies, processes, procedures, controls, standards, guidelines, organizational structures, and supporting technology.
  • The information security policy governs the confidentiality, integrity, and availability of Highline College data, especially highly sensitive or critical data, and defines the responsibilities of departments and individuals for such data.
  • Information resource management is governed by several federal and state laws, administrative codes, and Washington State Office of the Chief Information Officer (OCIO) policies and guidelines.

Introduction

Highline College is accredited by the Northwest Commission on Colleges and Universities, an institutional accrediting body recognized by the Council for Higher Education Accreditation and the secretary of the United States Department of Education. Faculty, staff, and students all rely heavily on Information Technology Services (ITS) to accomplish their jobs, and as an integral part of the learning environment/curriculum at the college. Because IT and networks are central to the business of Highline College, ITS has been heavily invested in and continues to be a critical partner for the entire campus.

As a result of this reliance, a comprehensive security plan is essential to the protection of these services. IT in higher education is challenging because the business of a college is extremely varied, serving students, prospective students, staff, faculty, alumni, and the general public. Systems must be easily accessed, yet have various levels of security to prevent unauthorized use of systems, networks, and data.

This IT Security Policy attempts to strike a balance between security and usability of systems, networks and data.

Purpose

The purpose of the information security program is to:

  • Ensure the confidentiality, integrity, and availability of Highline College data;
  • Satisfy and maintain compliance with applicable laws, codes, controls, rules, and regulations;
  • Reflect Highline College’s commitment to stewardship of sensitive and critical business information;
  • Establish the governance and responsibilities for information security at Highline College;
  • Establish a requirement for periodic assessments of risk and impact resulting from unauthorized access, use, disruption, or destruction of information and information systems that support Highline College;
  • Provide for information classification and establish controls for each classification type;
  • Establish an ongoing security awareness education program for all users starting with new employees during onboarding process;
  • Establish strategies to protect high-impact information resources;
  • Develop risk based plans for information security applicable to networks, facilities, and information systems;
  • Develop processes to:
    • Plan, implement, evaluate, and document remedial action to address any deficiencies in the information security policies, procedures, and practices of Highline College; and
    • Justify, grant, and document any exceptions to specific program requirements in accordance with requirements and processes defined by the Washington State OCIO;
  • Facilitate the development of policies, standards, and procedures that include controls for:
    • Data security risk management required by the OCIO;
    • Mitigation of information security risks to levels acceptable to Highline College; and
    • Information security throughout the life cycle of the information resource.

Scope

This IT Security Policy covers all Highline College computing and networking equipment which is managed by Information Technology Services (ITS) personnel including the physical network infrastructure.

Authority

Highline College recognizes the authority of the Office of the Chief Information Officer (OCIO) in requiring state agencies to develop an IT Security Plan as provisioned in RCW 43.105.041 (see also RCW Chapter 43.105). This Plan is written to fulfill this requirement.

Governance and Responsibilities

Governance consists of the leadership and organizational structures to ensure that Highline College’s information resources sustain and extend College’s strategies and objectives.

Highline College maintains a distributed and coordinated approach to the protection of information resources and repositories of protected information that are directly or indirectly under Highline College’s custody by establishing appropriate and reasonable administrative, technical, and physical safeguards. These safeguards are to be adhered to by all individuals that administer, install, maintain, contract, or make use of Highline College’s information resources.

IT governance is the designated responsibility of The Executive Director of Information Technology Services (ITS), who also functions as Chief Information Officer (CIO). The Executive Director provides strategic direction, ensures objectives are achieved, ascertains that risks are managed appropriately, and verifies that Highline College’s information resources are used responsibly. The Executive Director ensures IT operations are aligned with college activities and initiatives through meeting bi-monthly with the Executive Staff and Instruction Cabinet, monthly with the Technology Advisory Committee, and quarterly with the Faculty Technology Committee and Administrative Cabinet.

ITS is responsible for developing and implementing controls and promoting awareness of IT security requirements and plans throughout Highline College.

The following roles are subsequently defined with appropriate responsibilities and authorities regarding information security:

Information Security Officer (ISO)

The ISO reports directly to the Executive Director of Information Technology Services. The ISO has authority for information security for the entire College. The ISO is responsible to:

  • Develop and recommend a campus-wide information security program as required by  the OCIO;
  • Develop and maintain a campus-wide information security plan;
  • Develop and maintain information security policies and procedures that address the requirements of the OCIO and the College’s information security risks;
  • Work with the business and technical resources to ensure that controls are utilized to address all applicable requirements of the OCIO and the College’s information security risks;
  • Train and oversee personnel with significant responsibilities for information security with respect to such responsibilities;
  • Provide guidance and assistance to senior College officials, information owners, information custodians, and end-users concerning their responsibilities;
  • Ensure that annual information security risk assessments are performed and documented by information-owners;
  • Review the inventory of information systems, related ownership, and responsibilities;
  • In cooperation with the Executive Director of Information Technology Services and information owners, develop and recommend policies and establish procedures and practices necessary to ensure the security of information and information resources against unauthorized or accidental modification, destruction, or disclosure;
  • Coordinate the review of the data security requirements, specifications, and if applicable, third party risk assessment of any new computer applications or services that receive, maintain, and/or share confidential data;
  • Verify that security requirements are identified and risk mitigation plans are developed and contractually agreed and obligated prior to the purchase of information technology hardware, software, and systems development services for any new high impact computer applications or computer applications that receive, maintain, and/or share confidential data;
  • Report at least annually, to the Executive Director of Information Technology Services, the status and effectiveness of security controls; and inform the campus departments, data owners and data custodians in the event of noncompliance with the OCIO and/or with Highline College’s information security policies;
  • Issue exceptions to information security requirements or controls in the OCIO, with the approval of the Executive Director of Information Technology Services. Justify, document and communicate any such exceptions as part of the risk assessment process.

Technology Advisory Committee (TAC)

In order to promote a college environment that optimizes the use of technology tools and resources in achieving the college’s vision, mission, and strategic plan, the Technology Advisory Committee (TAC) will meet regularly to advise Information Technology Services on campus-wide technology needs. TAC will act as a clearinghouse for technology projects in college divisions, and will facilitate cross-divisional cooperation and coordination to reduce duplication of effort. TAC will advise ITS on prioritization of projects as needed, and will review and comment on technology acquisitions or implementations affecting the campus as a whole.

TAC members will act as liaisons to their college divisions on technology issues, will encourage a college-wide perspective on the application of technology on campus, and will advocate for the support of technical standards and policies where applicable.

TAC may establish working groups as needed for specific projects or topics, which may include a subset of TAC members as well as other relevant campus staff.

Faculty Technology Committee (FTC)

The Faculty Technology Committee (FTC) partners with Information Technology Services (ITS) to promote a college environment that optimizes the use of innovative technology tools and resources in achieving the college’s instructional goals. The FTC will:

  • Advise ITS on classroom and instructional technology projects, and will review and comment on instructional technology acquisitions or implementations affecting the campus as a whole.
  • Review departmental instructional technology projects, and will facilitate cross-departmental cooperation and coordination to reduce duplication of effort.
  • Identify innovative technologies and explore their usefulness for teaching and learning.

FTC members will act as liaisons to their academic divisions and/or departments on instructional technology issues, encourage a college-wide perspective on the application of instructional technology on campus, and advise on and advocate for the support of instructional technology standards and policies where applicable.

Membership of the FTC will consist of one representative each from the five academic divisions, one representative each from other key instructional areas, and the Technology Advisory Committee (TAC) faculty representative.

Information Owner/Data Owner

A data owner is defined as a person(s) with statutory or operational authority for specific information or information resources. The data owner or his or her designated representative(s) are responsible for and authorized to:

  • Classify information under their authority, with the approval of the Executive Director of Information Technology Services or his or her designated representative(s), in accordance with Highline College’s established information classification categories;
  • Approve access to information resources and periodically review access lists based on documented risk management decisions;
  • Formally assign custody of information or an information resource;
  • Coordinate (including implementation and review of) data security control requirements with the ISO;
  • Convey data security control requirements to custodians;
  • Provide authority to custodians to implement security controls and procedures;
  • Justify, document, and be accountable for exceptions to security controls;
  • Coordinate and obtain approval for exceptions to security controls with the ISO;
  • Participate in risk assessments.

User/Information User/Authorized User

An information user is defined as an individual, process, or automated application authorized to access an information resource in accordance with federal and state law, agency policy, and the information owner’s procedures and rules. The user of an information resource has the responsibility to:

  • Use the resource only for the purpose specified by the institution or information owner;
  • Comply with information security controls and institutional policies to prevent unauthorized or accidental disclosure, modification, or destruction;
  • Formally acknowledge that they will comply with the security policies and procedures in a method determined by Highline College.

Standards and Guidelines