IT Security Policy

By Frances Rogers,2014-11-13 15:07
9 views 0
IT Security Policy

    POLICY NO. 400-P2

    Securing Information Technology Assets

    Purpose: Set requirements for Adopted: July 14, 2000

    maintaining system and network Supersedes: 400-P1

    security, data integrity and Effective Date: October 6, 2000

    confidentiality. Revised: January 10, 2008

Applies to: State of Washington Approving Authority:

    executive branch agencies, agencies headed by separately elected officials, Joe Dear and institutions of higher education Information Services Board Chair (referred to as “agencies” throughout this document). Academic and Also See: Information Technology research applications at institutions of Security Standards higher education are exempt. No. 401-S4

     Information Technology

    Security Guidelines

    No. 402-G2


    1. Agencies shall maintain systems, networks, and applications in a manner to


    ; Availability of information technology (IT) assets.

    ; Access to information technology assets is allowed only by authorized individuals.

    ; Integrity and privacy of information technology assets is maintained.

    ; Misuse or loss of information technology assets is prevented.

2. Each agency shall adhere to this policy and current security standards

    adopted by the Information Services Board (ISB).

    3. Each agency shall operate and maintain information technology assets within

    an environment that provides a level of security commensurate with:

    ; The sensitivity and importance of each asset’s purpose and function.

    ; The privacy and confidentiality level of the information content.

    4. Interaction with agency’s IT assets shall be through an architecture that is

    compliant with all of the ISB’s policies and standards.

    5. Each agency shall ensure every employee is adequately trained to perform the

    security procedures for which they are responsible.

Policy No. 400-P2: Securing Information Technology Assets

    6. Each agency shall establish and maintain an agency security program that includes information technology security policies, procedures, and any other documents necessary to the program.

    ; The agency shall review this program at least annually, and make appropriate

    updates after any significant change to its business operations, computing, or

    telecommunications environment.

    7. Each agency shall conduct an Information Technology Security Policy and Standards Compliance Audit at least once every three years.

    ; The audit shall be performed by a qualified party or parties independent of the

    agency’s information technology organization.

    ; The State Auditor may determine an earlier audit of an agency’s information

    technology security program is warranted.

    ; The nature and scope of the audit shall be commensurate with the extent of the

    agency’s dependence on secure information technology assets to accomplish its

    critical business functions or as such operations may impact the security of other

    state agencies.

    ; The audit shall be conducted using audit standards developed and published by

    the State Auditor.

    ; Upon completion of the audit, each agency shall submit the results of the audit

    and the plan for correcting material deficiencies to the Information Services

    Board, Deputy Director, Department of Information Services.

    8. Agency heads shall provide annual certification to the ISB that the agency is in compliance with this policy and related standards, and that an Information Technology Security Program has been developed, implemented, and tested. ; The annual security verification letter shall be included in the agency information

    technology portfolio, which is due to the ISB on the same date that the agency’s

    budget submittal is due to the Office of Financial Management. ; The verification letter indicates review and acceptance by the agency head of the

    agency’s security policies, procedures, and any other security program

    documents, as well as updates to them since the last approval.

    9. Entities not governed by this policy who wish to connect to statewide systems governed by this policy must sign a statement certifying that a policy comparable to the ISB Securing Information Technology Assets Policy (400-P2) and related standards are in effect and has been developed, implemented, and tested.

     Page 2 of 5

Policy No. 400-P2: Securing Information Technology Assets


Portions of an agency’s IT security program and audit results may contain sensitive or

    confidential information. Agency policy and procedures for the distribution of this information should consider applicable statutes that exempt specific information from public disclosure and limit distribution to authorized entities and individuals with a legitimate need to know.

Information Services Board (ISB)

    ; Review and approve major policy changes.

    ; Interpret the policy (may delegate this responsibility to the Department of Information

    Services Director).

Department of Information Services (DIS) Director (or designee)

    ; Interpret the policy, as delegated by the ISB.

    ; Ensure policy content is kept current.

    ; Recommend updates to this policy and related standards in response to changes in

    technology, service delivery, or other challenges to the security environment. ; Develop an escalation process if an agency is not in agreement or compliance. ; Maintain security of all DIS managed networks (for example, the State Government

    Network (SGN), Intergovernmental Network (IGN), and Public Government Network


    ; Design, establish and maintain the shared infrastructure necessary to support

    applications and data within a trusted, state-wide environment.

    ; Review agency projects for compliance with the security policy.

    ; Help agencies understand how to comply with the policy.

    ; Monitor annual compliance by agencies.

State Auditor

    ; Develop, publish, and maintain audit standards for information technology security


Agency Heads

    ; Ensure and oversee agency’s information technology security and compliance with

    this policy and related standards.

    ; Ensure agency security policies, procedures and any other documents necessary for

    the security program are developed, implemented, maintained, and tested. ; Ensure staff is trained to follow security policies, standards, and procedures. ; Submit annual, signed security verification letter.

     Page 3 of 5

Policy No. 400-P2: Securing Information Technology Assets


    Information technology assets are the processes, procedures, systems, infrastructure, data, and communications capabilities that allow each agency to manage, store, and share information in pursuit of its business mission, including but not limited to:

    ; Applications.

    ; All data typically associated with IT systems regardless of source (agency,

    partner, customer, citizen, etc.).

    ; All data typically associated with IT systems regardless of the medium on which it

    resides (disc, tape, flash drive, cell phone, personal digital assistant, etc.).

    ; End-user authentication systems.

    ; Hardware (voice, video, radio transmitters and receivers, mainframes, servers,

    workstations, personal computers, laptops, and all end point equipment).

    ; Software (operating systems, applications software, middleware, microcode).

    ; Infrastructure (networks, connections, pathways, servers, wireless endpoints).

    ; Services (data processing, telecommunications, office automation, and

    computerized information systems).

    ; Telecommunications hardware, software, and networks.

    ; Radio frequencies.

    ; Data computing and telecommunications facilities.

Security is defined as the ability to protect:

    ; The integrity, availability, and confidentiality of information held by an agency.

    ; Information technology assets from unauthorized use or modification and from

    accidental or intentional damage or destruction.

    ; Information technology facilities and off-site data storage.

    ; Computing, telecommunications, and applications related services.

    ; Internet-related applications and connectivity.

See Information Services Board Policy Definitions.


    RCW 42.56.100 - Protection of public records public access

    RCW 42.56.420 - Security

    RCW 43.88.160 - Fiscal management. Powers and duties of officers and agencies

    RCW 43.105.017(2) and (3) - Department of Information Services. Legislative intent

    RCW 43.105.041 - Powers and duties of (information services) board

    RCW 43.105.200 - Application to institutions of higher education

    State Auditor Information on Compliance Audits

    State Auditor Information Technology Security Policy Audit Standards

    Information Technology Security Standards

    Information Services Board Policy Index

     Page 4 of 5

Policy No. 400-P2: Securing Information Technology Assets


    Date Action taken

    January 10, 2008 Added statement #9 requiring comparable security policies for

    entities wishing to connect to state systems.

    November 2006 Revised format; revised Applies To section content; added

    requirement to submit audit results to the ISB in statement #7;

    revised annual compliance filing date to match agency’s budget

    submittal date in statement #8; removed language redundant with

    Information Technology Security Standards, Policy No. 401-S3;

    simplified and clarified language throughout.

    April 2002 Revised format; added language to policy statement #5 on

    Internet applications; added language to policy statement #8 on

    agencies providing annual certification to the ISB.

    October 6, 2000 Initial effective date.

    July 14, 2000 Policy adopted.


    For questions about this policy, please contact your DIS Information Technology

    Consultant. For technical security questions or to request a network security design review, please contact Enterprise Security Services through the DIS Service Desk at or (360) 753-2454.

     Page 5 of 5

Report this document

For any questions or suggestions please email