Business ContinuityPlan
200 points
DIRECTIONS:
1.
Must contain 3 major sections:30 OF 200 POINTS
Ø Planning for CyberSecurity
Ø Managing CyberSecurity
Ø Security Assessment
2.
Each area of concern listed below must be placed somewhere within one of the three sections. Comprehensive and detail demonstrated for each area of concern.150 OF 200 POINTS
Ø Best Practices
Ø Standards
Ø Plan of Action
Ø Security Governance
Ø Risk Management
Ø Security Management
Ø People Management
Ø Information Management
Ø Physical Asset Management
Ø Business Applications Management
Ø System Access
Ø System Management
Ø Network s and Communications
Ø Technical Security Management
Ø Threat and Incident Management
Ø Security Monitoring and Improvement
3. Grammar,readability, flow of content, and usability of plan:20 of 200 points
Cyber Security Business Continuity Plan 200 points DIRECTIONS: 1. Must contain 3 major sections: 30 OF 200 POINTS · Planning for Cyber Security · Managing Cyber Security · Security Assessment 2. Each area of concern listed below must be placed somewhere within one of the three sections. Comprehensive and detail demonstrated for each area of concern. 150 OF 200 POINTS · Best Practices · Standards · Plan of Action · Security Governance · Risk Management · Security Management · People Management · Information Management · Physical Asset Management · Business Applications Management · System Access · System Management · Network s and Communications · Technical Security Management · Threat and Incident Management · Security Monitoring and Improvement 3. Grammar, readability, flow of content, and usability of plan: 20 of 200 points ADMINISTRATIVE POLICIES & PROCEDURES Administrative Procedure Administrative Procedure 6.01 Information Technology Procedure Approved by Administrative Council on August 8, 2006 PURPOSE This procedure describes specific processes and tasks that are in place to oversee management of IT security as well as defines roles and responsibilities within this effort. This procedure serves as an umbrella that governs all other YVCC Procedures and Standards pertaining to IT/Telecommunications usage on campus, and complies with the Office of the Chief Information Officer (OCIO) Policy No. 141, Securing Information Technology Assets. SCOPE This procedure applies to all members of the Yakima Valley Community College (YVCC) community, with specific duties and responsibilities placed upon Yakima Valley Community College. This procedure applies to all campus facilities, equipment and services that are managed by the YVCC Technology Services Department, as well as off-site data storage, computing and telecommunications equipment. This procedure also includes application-related services purchased from other state agencies or commercial concerns, and Internet-related applications and connectivity. It is not the intent of this procedure to restrict academic freedom in any way, nor to impinge on the intellectual property rights of authorized users, therefore this procedure exercises the exemption granted in the Office of the Chief Information Officer (OICO) Securing IT Assets Policy for Institutions of Higher Education, pursuant to RCW 43.105.200 which states that, “in the case of institutions of higher education, the provisions of chapter 20, Laws of 1992, apply to business and administrative applications but do not apply to academic and research applications.” PROCEDURE YVCC acknowledges the obligation to provide adequate security and protection of all Information Technology (IT) usage within its domain of ownership and control. It is the sole responsibility of YVCC to provide oversight management of all tasks and procedures that directly pertain to maintaining IT security on campus. It is the responsibility of all members of YVCC to participate and share this obligation as specified by all supportive policies and procedures pertaining to technology use on campus. IT security is defined as: · Protecting the integrity, availability and confidentiality of information assets managed by YVCC. · Protecting information assets from unauthorized release or modification, and from accidental or intentional damage or destruction. · Protecting technology assets such as hardware, software, telecommunications, and networks (infrastructure) from unauthorized use. IT security will be maintained by upholding the following guidelines and procedures: · YVCC will operate in a manner consistent with the goals of the OCIO Policy Securing IT Assets to maintain a shared, trusted environment within YVCC and within the Washington Community and Technical College (WACTC) system for the protection of sensitive data and business transactions. · YVCC will maintain an IT Security Audit Portfolio that includes comprehensive documentation of all processes, as required by the OCIO Policy Securing IT Assets. Comprehensive documentation of all IT applications developed or purchased by the college will be included in this audit portfolio. This portfolio and all documentation related to any YVCC IT Security policies, procedures, and standards will be maintained in the office of the YVCC Director of Technology Services. · YVCC will submit annual written verification to the OCIO verifying compliance with the processes and documentation of processes required by the OCIO Policy Securing IT Assets. · YVCC will ensure that all college employees are appropriately familiar with all IT security policies, procedures, and standards, and are aware of their personal responsibilities to protect IT resources on campus. YVCC will provide training to each employee in the security procedures for which they are responsible. · YVCC will review its security processes, policies, procedures, and practices annually. In the event of any significant changes to its business, computing, or telecommunications environments, YVCC will make appropriate updates as necessary. · A compliance audit of the YVCC IT Security Policy will be conducted every three years and will be performed by knowledgeable parties independent of YVCC employees, such as the State Auditor. The format of this work shall follow audit standards developed and published by the Washington State Auditor. The State Auditor’s office may determine if an earlier audit of some or all of YVCC IT processing is warranted, in which case they will proceed under their existing authority. The nature and scope of the audit must be commensurate with the extent that YVCC is dependent on secure IT to accomplish its critical business functions. YVCC will maintain documentation showing the results of its review or audit and the plan for correcting material deficiencies revealed by the review or audit. To the extent that the audit documentation includes valuable formulas, designs, drawings, computer source codes, object codes or research data, or that discloser of the audit documentation would be contrary to the public interest and would irreparably damage vital government functions, such audit documentation is exempt from public disclosure. (See RCW 42.17.310 and 42.17.330.) The State Auditor may audit YVCC IT security processes, policies, procedures, and practices, pursuant to RCW 43.88.160 for compliance with this and the OCIO Policy Securing IT Assets. It is the intent of Yakima Valley Community College to take precautions to prevent revealing specific security procedures, standards, and practices containing information that may be confidential or private regarding YVCC business, communications, and computing operations or employees. Persons responsible for distribution of these documents should consider the sensitive nature of the information as well as related statutory exemptions from public disclosure (See RCW 42.17.310 and 42.17.330). This YVCC IT Security Procedure is acknowledged as a "living" document that may require alteration periodically to address changes in technology, applications, procedures, legal and social imperatives, and unanticipated dangers. RESPONSIBILITIES Technology Services (TS) Technology Services is responsible for: 1. Maintaining an IT Security Audit Portfolio on behalf of the college that includes comprehensive documentation of all processes as required by the OCIO Policy Securing IT Assets. 2. Submitting, on behalf of the college, annual written verification to the OCIO showing the college’s direct compliance with all IT security standards, as outlined in the OCIO Policy Securing IT Assets (RCW 43.105.017(3). This written verification will include all revisions from previously submitted documentation, and will be submitted no later than October 6 each year, as required by state law. 3. Providing the college with secure business applications, services, infrastructures, and procedures for addressing the business needs of the college. 4. Following and enforcing internal security standards established for creating and maintaining secure sessions for application access. 5. Notifying Human Resources and the appropriate administrator(s) when an individual or individuals have knowingly compromised IT security on campus. Technology Services is not responsible for determining disciplinary action for individuals who may deliberately violate IT security policies, procedures, or standards. This responsibility will be managed by the respective campus office, administrator, or local law enforcement, depending on the scope and nature of the violation. DEFINITIONS Office of the Chief Information Officer The Office of the Chief Information Officer (OICO) OCIO IT Security Policy Also called the OCIO IT Security Policy or the OCIO Policy No. 141 Securing Information Technology Assets. This is the published policy of The Office of the Chief Information Officer regarding Information Technology Security. The purpose of this policy is to create an environment within state of Washington agencies that maintains system security, data integrity and privacy by preventing unauthorized access to data and by preventing misuse of, damage to, or loss of data. Information Assets ‘Information assets’ are defined as all types of data stored or transmitted on behalf of the college. This may include (but is not limited to) employee data, student personal data or college data. Information Technology (IT) Information Technology (IT) is a term that broadly defines all types of technology-delivered resources such as information, data, databases, equipment, applications, software or Web-based resources. Policy A policy is the official or prescribed plan or course of action. Webster’s 7th New Collegiate Dictionary defines “policy” as a “course or method of action selected from among alternatives…to guide and determine present and future decisions.” Security Standard Webster’s defines “standard” as “something established by authority, custom, or general consent as a model or example; OR something set up and established by authority as a rule for the measure of quantity, weight, extent, value or quality.” In order to protect resources and enable security audits the Office of the Chief Information Officer required all state agencies adhere to common IT security standards. Technology Assets ‘Technology assets’ are defined as all software, hardware, or network infrastructure owned by the college. Unauthorized use Unauthorized use pertains to any action that is in conflict or directly violates YVCC policies, procedures or standards for campus technology usage. This also includes unlawful use in violation of local, State and/or Federal law. RELEVANT LAWS AND OTHER RESOURCES Revised Code of Washington http://apps.leg.wa.gov/rcw/ Washington Administrative Code http://apps.leg.wa.gov/wac/ OCIO Securing IT Assets Policy http://ofm.wa.gov/ocio/policies/documents/141.pdf Washington State Ethics Board http://www1.leg.wa.gov/LEB/ APPENDICES REVISION HISTORY November 2005 Initial Draft August 2006 Final Draft January 2008 Revised Revision Log Date By Notes YVCC Administrative Procedure 6.01 Information Technology 1 of 1 YVCC Administrative Procedure 6.01 Information Technology 4 of 4