Policy
This policy set requirements for maintaining system and network security, data integrity and confidentiality.
What Securing Information Technology Assets
(SEC-01)
Agencies must assess the IT security risks and compliance with IT security policies and standards of a proposed information technology system and/or application as part of an agency’s security program and portfolio management process.
What is agencies must assess IT security risk of purposed IT implementations.
Agencies must conduct ongoing external threat intelligence gathering, which at a minimum includes
What is identification and use of threat intelligence feeds
WaTech will provide a template for agencies
What is a incident response plan guideline.
For technical assistance regarding WaTech Risk Assessment Standard, please email this distro
What is Risk Management
or
RiskManagement@watech.wa.gov
This policy is necessary for ensuring a coherent and cohesive response to cybersecurity incidents that can cause irreparable harm to critical data and infrastructure.
What is IT Security Incident Response Policy
SEC-10
Agencies must document the controls mitigating the IT project solutions’ security risks within a Risk Treatment Plan (RTP). See SEC-11 Risk Management Policy. This must include, but is not limited to (Please Name 2)
What is
User identification and authentication management method
System hosting model; e.g., cloud or agency premise
Security boundary devices, e.g., firewalls, intrusion detection/prevention systems (IDPS)
Vulnerability management e.g., scanning and patching
Resource constraints
System development lifecycle (SDLC) deficiencies
After confirming the vulnerability scan results applicable to their systems, agencies are responsible for
What is reducing the likelihood and/or the impact of exploitation of the vulnerabilities
At a minimum, the Agency level incident response plan (AIRP) must address escalation procedures that align with
Enterprise Incident Response Plan EIRP
Agencies must conduct risk assessments at critical points prior to the acquisition of an information system, cloud service, or managed service which will store, process, or transmit
This policy covers centralized inventory of hardware and software assets enables agencies to make sound business, technical, and legal decisions.
What is Assest Management Policy
Agencies must update the agency’s system authorization process
What is every 3 years or when significant changes occur
Indicates flaws could be easily exploited by an unauthenticated remote attacker and lead to compromise.
What is Critical
(CVSS Rating 9.0-10.0)
Agencies must exercise the plan
What is annually
NIST SP 800-39 covers the
What is managing information security risk.
This policy covers strengthening security by aligning the business units with the technical privileges given.
What is Access Control Policy
SEC-06
Agencies must agree to operate the system in compliance with
What is the state standards
Configure endpoints and network infrastructure and applications to allow
What is access for vulnerability scans
WaTech’s Security Operations Center (SOC) must investigate
What is agency reported incidents
Prior to the sharing of category 3 or category 4 data as with agencies and/or vendors or when security patch is not applied
what is a Risk Assessment
This policy covers the physical and environmental security control
What is Physical and Environmental Protection Policy
SEC-07
For questions about the Security Assessment and authorization policy
what is email WaTech Policy Mailbox
Agencies must prioritize the assets to be remediated by the system’s
What is business criticality
Agencies will fully cooperate with the
What is the Governors Office
Impact * Likelihood =
What is inherent risk