Technology Standard

Version: 1.0
Status: Approved 02/21/07
Contact: Director, Technology Services

The effectiveness of an enterprise information security practices depends to a large degree on the way that security responsibilities are organized and assigned. The purpose of the IT Security Governance Standard is to identify all of the primary roles and associated responsibilities for creating and maintaining the VCCS Information Security Program.

The IT Security Governance Standard covers all VCCS and college business processes and the related Information Technology infrastructure. 

The IT Security Governance Standard is applicable to the System Office and all Colleges.

One of the key components in building a strong IT security organization is to clearly identify all the primary roles and responsibilities. To support the VCCS security infrastructure and the local college security infrastructure the following Governance Model and associated enterprise security organization is required:

The College Information Security Officers (CISO) Group addresses issues and matters specific to information security and their impact on telecommunications and computing areas as voice, data, and video; desktops and servers; and general computing applications and services.

The College Information Security Offices Group is specifically charged with the discussion, review, and planning of the VCCS Information Technology Security Program and all the related standards, guidelines, and procedures on which all colleges must base their local IT security programs. The Group shall facilitate an appropriate exchange of information among the Interest Groups, Workgroups, ad-hoc committees for the expressed purpose of building consensus on related issues. The CISO Group plays an advisory role to the Technology Council and the VCCS colleges. It shall be a focal point of discussion across the more limited boundaries of the various VCCS peer groups and workgroups to bring understanding of the interplay and impact of security on the various technologies, applications, and services deployed within VCCS. The CISO Group shall identify proposals, provide guidance to the peer groups, and provide advice and counsel to the Technology Council.

The diagram below provides a functional representation of how the VCCS information security is organized to support the twenty-three colleges, System Office, and Enterprise applications, services, and supporting IT infrastructure. The colleges and System Offices are expected to maintain organization charts that identify the specific individual assignments and reporting relationships.

College Presidents – Each College President is responsible for college’s IT systems and data. Their IT security responsibilities include:

1. Designate via e-mail to an ISO for the College and providing the employees name, title and contact information to VCCS annually or as personnel changes are made. The College President is strongly encouraged to designate at least one backup for the ISO, as well.



2. Determine the optimal place of the IT security function within the College hierarchy with the shortest practicable reporting line to the College President.



3. Maintain an IT security program that is sufficient to protect the College’s IT systems, and that is documented and effectively communicated.



4. Review and approve the College’s Business Impact Analyses (BIA), a Risk Assessment (RA), and a Continuity of Operations Plan (COOP), to include an IT Disaster Recovery Plan, if applicable.



5. Accept residual risk as described in section 2.5 of the IT Security Audit Standard (COV ITRM Standard SEC502-00).



6. Maintain compliance with IT Security Audit Standard (COV ITRM Standard SEC502-00) and the guidance provided in the VCCS Contingency Planning and Business Recovery Program. This compliance must include, but is not limited to:

7. Facilitate the communication process between IT staff and those in other areas of the College.



8. Establish a program of IT security safeguards.



9. Establish an IT security awareness and training program.



10. Provide the resources to enable employees to carry out their responsibilities for securing IT systems and data.
     
11. Ensuring managers in the colleges at all levels provide for the IT security needs under their jurisdiction and they take all reasonable actions to provide adequate IT security and to escalate problems, requirements, and matters related to IT security to the highest level necessary for resolution.

VCCS Information Security Officer – The System Office ITS Office has been designated as the primary liaison for developing and managing the VCCS IT security program and the supporting shared security infrastructure. As such, this office will perform the following duties:

1. Administers the VCCS Contingency Planning and Business Recovery Program and periodically assesses whether the program is implemented in accordance with COV IT Security Policies and Standards.



2. Prepares requested exceptions to COV IT Security Policies, Standards and Procedures.



3. Provides solutions, guidance, and expertise in IT security.



4. Maintains awareness of the security status of sensitive IT systems.



5. Facilitates effective implementation of VCCS Planning and Business Recovery Program, by:



1. Preparing, disseminating, and maintaining IT security, policies, standards, guidelines and procedures as appropriate;



2. Collecting data relative to the state of IT security in VCCS and communicating as needed;



3. Providing consultation on balancing an effective IT security program with college needs.



6. Provides networking and liaison opportunities to the College Information Security Officers (ISOs).



7. Serves as the VCCS primary security liaison with VITA and the Chief Information Security Officer (CISO) facilitating the required communications on all IT matters that may impact the System Office and the twenty three colleges.

College Information Security Officer (ISO) - The ISO is responsible for the development and administration of the college Contingency Planning and Business Recovery Program as well as the college local IT security architecture. They are expected to perform the following duties:

1. Develop and manage the college IT security program that meets or exceeds the requirements of VCCS and COV IT security policies and standards in a manner commensurate with risk.



2. Develop and maintain an IT security awareness and training program for the college staff, including contractors and IT service providers.



3. Coordinate and provide IT security information to the VCCS ISO as required.



4. Implement and maintain the appropriate balance of protective, detective and corrective controls for college and VCCS IT systems commensurate with data sensitivity, risk and systems criticality.



5. Mitigate and report all IT security incidents in accordance with §2.2-603 of the Code of Virginia and related VCCS requirements and take appropriate actions to prevent recurrence.



6. Maintain liaison with the VCCS ISO.

System Administrators - The System Administrator is an analyst, engineer, or technician who implements, manages, and/or operates a system or systems. The System Administrator assists College and System Office management in the day-to-day administration of the IT systems, and implements security controls and other requirements of the local IT security program on IT systems for which the System Administrator have been assigned responsibility. Typically in the VCCS these are SIS Security Officers, LAN Administrators, Network Security Engineers, etc.

IT System Users - All users of COV IT systems including employees and contractors are responsible for the following:

1. Read and comply with VCCS Contingency Planning and Business Recovery program requirements as well as VCCS and college IT polices, standards, and guidelines.



2. Report breaches of IT security, actual or suspected, to their college management and/or the ISO.



3. Take reasonable and prudent steps to protect the security of IT systems and data to which they have access.

System Owners - The System Owner is the manager responsible for operation and maintenance of an IT system. With respect to IT security, the System Owner’s responsibilities include the following:

1. Require that all IT system users complete required IT security awareness and training activities prior to, or as soon as practicable after, receiving access to the system, and no less than annually, thereafter.



2. Manage system risk and developing any additional IT security policies and procedures required to protect the system in a manner commensurate with risk.



3. Maintain compliance with VCCS and COV IT security policies and standards in all IT system activities.



4. Maintain compliance with requirements specified by Data Owners for the handling of data processed by the system.



5. Designate a System Administrator for the system.

Data Owners - The Data Owner is the manager responsible for the policy and practice decisions regarding data, and is responsible for the following:

1. Evaluate and classify sensitivity of the data.



2. Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs.



3. Communicate data protection requirements to the System Owner.



4. Define requirements for access to the data.

Data Custodians - Data Custodians are individuals or organizations in physical or logical possession of data for Data Owners. Data Custodians are responsible for the following:

1. Protect the data in their possession from unauthorized access, alteration, destruction, or usage.



2. Establish, monitoring, and operating IT systems in a manner consistent with VCCS and COV IT security policies and standards.



3. Provide Data Owners with reports, when necessary and applicable.

Return to Information Security Program