Summary- Table of Contents
Quick Takes
- Systems and services are categorized by business impact and data sensitivity.
- Each asset is assigned a Safety & Criticality (SC) level and a Data Classification.
- These two attributes determine the required Assurance Level (Basic or Enhanced).
- Higher-impact or higher-sensitivity assets require stronger security controls.
Back to top
1. Purpose
The purpose of the Baseline Security Categorization Guidelines is to establish a consistent method for determining the level of security controls required for systems, services, and information assets. By evaluating both potential business impact and data sensitivity, SVC ensures that cybersecurity and privacy protections are appropriately aligned with institutional risk, mission criticality, and regulatory obligations.
Back to top
2. Scope
These guidelines apply to all SVC information assets, systems, applications, services, and data that are created, processed, stored, or transmitted by the institution. This includes on-premises and cloud systems and covers assets supporting mission-critical operations as well as routine business activities. Categorization applies regardless of where the system or data is hosted.
Back to top
3. Key Requirements
Safety & Criticality (SC) Levels
- SC1 – Mission Critical: Systems essential to SVC’s mission; outages cause enterprise-wide disruption, reputational damage, or risk to health or safety.
- SC2 – Business Critical: Systems supporting primary operations; outages cause significant service degradation or departmental disruption.
- SC3 – Non-Critical: Systems supporting day-to-day operations; outages reduce productivity but do not halt operations.
- SC4 – Business Supporting: Systems with minimal business impact if unavailable.
Assurance Levels
- Basic Assurance: Minimum, industry-recognized security practices (e.g., NIST, ISO) with properly scoped controls and timely flaw remediation.
- Enhanced Assurance: Stronger controls exceeding baseline requirements, often required for sensitive data or regulatory obligations, with increased monitoring and stakeholder involvement.
Risk Alignment
- Assurance levels are determined by combining SC level with data classification using the Asset Categorization Risk Matrix.
- Assets handling more sensitive data or with higher business impact require Enhanced assurance controls.
Back to top
4. Roles & Responsibilities
Asset Owners
- Determine and approve the Safety & Criticality level and data classification for systems and services.
- Ensure appropriate assurance levels and security controls are applied.
IT & Security Teams
- Implement and maintain security controls consistent with assigned assurance levels.
- Monitor systems, remediate vulnerabilities, and support enhanced controls where required.
Business Stakeholders
- Participate in risk awareness and governance for systems supporting their functions.
- Support ongoing evaluation of mission impact and operational criticality.
Institutional Leadership
- Ensure categorization supports compliance, risk management, and institutional mission priorities
Back to top
5. Related Policies & References
6. Authority
All computer systems at Skagit Valley College are state property. Even if you are using your personal device, by connecting to the wifi, to Canvas, or to any other system provided by the College, you are using state property. State law requires everyone who uses state property to follow certain laws. Here is the chain of authority governing the College's IT policies:
Back to top