- d
(Approved by the Vice President for UW Information Technology and Chief Information Officer by authority of Executive Order No. 63)
1. Purpose
University of Washington shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of institutional information that it creates, receives, maintains, or transmits.
This policy describes the information security controls used by the University to protect its institutional information, information systems, computerized devices, or infrastructure technology. The underlying principles of this policy are to achieve the ideal of access of least privilege and separation of duties for the creation, use, and dissemination of information. The following controls will be implemented based on the approved information security standards and will be commensurate with asset value and risk as determined by the Executive Heads of Major University Organizations.
2. Scope
This policy is applicable to all of the University.
3. Security Plan
The Executive Heads of Major University Organizations are responsible for the risks associated with their assets. They must document and implement an Information Security Plan (Plan) that demonstrates due care in securing their assets by meeting the intention of the controls in this policy statement. The Plan must address each of the requirements in this policy statement and include the following:
- Delegate Plan responsibilities to the appropriate people (e.g., system owners, system operators)
- Include a Plan implementation timeline and milestones
- Describe the organization’s approach to implementing the Plan (e.g., by department, by functional area, or by asset type)
- Document critical assets and the controls that are implemented for each of them
- Describe alternate or compensating controls and the rationale for selecting them.
For Plan templates and information security guidelines related to this policy statement, see the Office of the University Chief Information Security Officer website.
4. General Operational Controls
General operational controls include the appropriate security controls and operational practices for the University’s networks, information systems, applications, and information throughout the institution. These controls must be defined, implemented, maintained, and include the following:
- A change and configuration management process
- A flaw remediation process
- A malicious code and unauthorized software countermeasure process
- A data protection and destruction process
- Secure development practices
- Backup and recovery processes for critical information and software
- A business continuity and disaster recovery plan
- Information security technical architecture standards
- System build and maintenance standards
- Acceptable use standards.
5. Technical Security and Access Controls
Technical security and access controls restrict access to institutional information and systems in accordance with the University’s information security and privacy policies and standards. These controls must be defined, implemented, maintained, and include the following:
- Remote access process
- Cryptographic controls for protecting data
- An access authorization process for all users and information systems
- An authentication mechanism for all authorized users and information systems
- Network, system, and application level protection measures.
6. Monitoring Controls
Monitoring controls define the event information that will be logged and monitored, and alert levels that will be triggered for incident response. These controls must be defined, implemented, maintained, and include the following:
- A baseline measurement process for application, system, and network activity
- A monitoring capability for critical systems
- An intrusion detection mechanism
- Logging processes for networks, systems, and applications.
7. Physical Controls
Physical controls define the protection required for the data center, physical assets, critical information systems, and institutional information. These controls must be defined, implemented, maintained, and include the following:
- Physical protection and access processes for buildings that house critical information technology and systems
- A physical protection process for critical information systems and institutional information.
8. Asset Identification Controls
Asset identification controls include the planning and operational procedures related to asset inventory, accountability, responsibility, and information classification. These controls must be defined, implemented, and maintained to identify, inventory, assign ownership, and classify institutional information and information systems using the following information classification scheme:
- Public Information
- Restricted Information
- Confidential Information.
9. Account and Identity Management Controls
Account and identity management controls govern the hiring, termination, and background checking procedures for the University’s workforce members. They also focus on identity and account management for all accounts such as employee, non-employee, system, or service accounts. These controls must be defined, implemented, maintained, and include the following:
- An identity and eligibility verification and registration process
- A user and system account life cycle management process.
10. Policy Maintenance
The University Chief Information Security Officer shall review and approve this policy statement at least every three years or more frequently as needed to respond to changes in the regulatory environment, prior to being sent for final approval by those who have been delegated executive authority. The University Chief Information Security Officer shall manage the review process.
11. Additional Information
For additional resources or further information on this policy statement, see the Office of the University Chief Information Security Officer website.
June 20, 2012; October 28, 2013.