S2 : Security and Privacy Protocols

Notice: applying this to your agency.

The IT Project Resources are not meant to replace your agency’s internal project management practices or prescribe how you must operate. Instead, they offer concepts and tools that can strengthen delivery by providing a scalable framework for project level coordination. All project documentation should be maintained throughout each stage in alignment with agency policies and, where applicable, WaTech requirements and oversight expectations.

 

For Programs and Projects

Establish the security and privacy controls required to protect project data, systems, and users. This S ensures alignment with WaTech cybersecurity policies, statewide security standards, and all applicable privacy regulations. It defines how security responsibilities, compliance obligations, and risk management activities will be distributed across the enterprise program and agency sub‑projects.

For Programs with Agency‑Led Sub‑Projects

Identify agency‑specific compliance requirements, access control needs, and data protection obligations. Document local security constraints, legacy system considerations, and privacy requirements. Coordinate with the enterprise program to ensure agency‑level needs are incorporated into the overall security and compliance strategy.

Programs and projects must demonstrate compliance with the following statewide policies and standards:

  • SEC‑01: Washington State Cybersecurity Program Policy Ensures the solution aligns with statewide cybersecurity expectations, including protection of confidentiality, integrity, and availability; operational continuity; and privacy safeguards.
  • SEC‑02: Security Assessment and Authorization Policy Requires documentation of system security controls, participation in Security Design Reviews, and adherence to statewide authorization processes.
  • SEC‑11: Information Security Risk Management Policy Mandates identification, assessment, mitigation, and reporting of security risks throughout the system lifecycle.
  • IT Policy 141.10 – Securing Information Technology Assets Requires classification of data into four sensitivity categories and application of appropriate controls for:
    • Data storage
    • Data flows
    • Security controls
    • Access management
    • Retention and archival
    • Integration design
  • Statewide Privacy Requirements (OPDP Guidance) Requires privacy‑by‑design practices, data minimization, privacy impact assessments, and compliance with applicable privacy regulations.
  • WaTech Enterprise Architecture and Cybersecurity Standards Ensures alignment with statewide architecture patterns, hosting standards, identity and access management requirements, and secure integration practices.

Key Activities

  • Conduct a security risk assessment and perform threat modeling.
  • Define authentication, authorization, and encryption protocols.
  • Document privacy requirements, data protection measures, and retention considerations.
  • Establish security role mapping and access control models.
  • Align all protocols with WaTech cybersecurity standards, enterprise policies, and statewide regulations.
  • Validate proposed controls with security architects, compliance officers, and agency security SMEs.
  • Incorporate feedback into the Security and Compliance Strategy.
  • Required Alignment with WaTech Security Policies.

WaTech available template: Security and Compliance Strategy