Go to Section: 00 — Organization & Communications 10 — Environment, Health, Safety & Security 20 — Academic Matters 30 — Fiscal Management 40 — Personnel 50 — Services 60 — Equipment Inventory 70 — Travel       

UW Information Systems Security

(Approved by the President by authority of Executive Order No. 2)

The following terms are found in this policy document or its associated guideline documents:

Access Control: A physical, procedural, and/or electronic mechanism that ensures only those who are authorized to view, update, and/or delete data can access that data.

Authentication: A systematic method for establishing proof of identity.

Authorization: The process of giving someone permission to do or have something. System administrators/owners and data custodians define for their systems which users are allowed access to those systems and what privileges are assigned. A system could be an operating system, database, or application.

Availability: The assurance that a computer system is accessible by authorized users whenever needed or as pre-defined.

Common Criteria for Information Technology Security Evaluation: A comprehensive specification (aligned with the ISO IS 15408) that first defines the targeted environment and then specifies the security requirements necessary to counter threats inherent in that environment.

Computing & Communications (C&C): The UW administrative unit responsible for (among other things) central UW computing and networking.

Confidentiality: An attribute of information. Confidential information is sensitive or private information, or information whose unauthorized disclosure could be harmful or prejudicial.

Cookie: A small text file that is sent to a user's computer by the server that the user is visiting. This file can record preferences and other data about the user's visit to a particular site. Cookies often are used for long-term data collection. Short-term cookies might be used for things like authentication in "single sign-on" services.

Cost-effective: To deliver desired results in beneficial financial terms.

Critical Servers: Within the UW, critical servers are devices needed to support patient care or major UW administrative services, or they are devices that contain personally identifiable information that has value in and of itself.

Data Custodians: Individuals who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, college, school, or administrative unit of the UW.

Decryption: The process of turning unreadable cipher text into readable text.

Encryption: The process of turning readable text into unreadable cipher text.

Firewalls: Policy-based filtering systems (composed of both hardware and software) that control and restrict the flow of data between networked computer systems. Firewalls establish a physical or logical perimeter where selected types of network traffic may be blocked. Blocking policies typically are based on computer IP addresses or protocol type of application (e.g., Web access or file transfer). Types of firewalls relevant to this policy include:

Forensics (Computer): The discipline of dissecting computer storage media, log analysis, and general systems to find evidence of computer crime or other violations.

Incident Response Capability: The ability to respond appropriately and completely to any incidents, situational compromises, or threats from any source.

Information Systems: The UW's electronic information systems and data assets. All computing systems, networks, digital information, and other electronic processing or communications related resources or services provided through the UW.

Integrity: Data or a system remains intact, unaltered, and reliable.

Intrusion Detection: A security management system that gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization).

Non-repudiation: A mutually agreed upon process, secured evidence, or other method of operation that provides proof of receipt or protection from denial of an electronic transaction or other activity.

Off Site: A location separate and distinct from the area in which something, such as a computer, is located. Frequently referred to when considering backup storage.

Ownership: The term that signifies decision-making authority and accountability for a given span of control.

Perimeter Security: The ability to protect the outer limits of a network, or a physical area, or both.

Personally Identifiable Information: Specific data, elements of non-specific aggregate data, or other information that is tied to, or otherwise identifies, an individual or that provides information about an individual in a way that is reasonably likely to enable identification of a person as an individual and make personal information about them known.

Principle of Least Privilege: Access privileges for any user should be limited to only what is necessary to complete their assigned duties or functions, and nothing more.

Principle of Separation of Duties: Whenever practical, no one person should be responsible for completing or controlling a task, or set of tasks, from beginning to end when it involves the potential for fraud, abuse, or other harm.

Privacy: An individual's right to be left alone; to withdraw from the influences of his or her environment; to be secluded, not annoyed, and not intruded upon; to be protected against the misuse or abuse of something legally owned by an individual or normally considered by society to be his or her property.

Privacy Policy: Specific to the UW, the UW Electronic Privacy Policy on Personally Identifiable Information.

Privacy Statement: Sometimes referred to as a privacy policy, a privacy statement is posted on an organization's Web site to notify visitors of the types of information being collected and what will be done with the information.

Risk Management: A comprehensive methodology that strives to balance risks against benefits in a pre-defined environment.

Security: An attribute of information systems that includes specific policy-based mechanisms and assurances for protecting the confidentiality and integrity of information, the availability and functionality of critical services, and the privacy of individuals.

Security Incident: An event during which some aspect of computer security is threatened.

Server Sanctuaries: Within the UW, these are locations within computing facilities where clusters of sensitive or critical servers can be co-located and around which suitable physical and logical security measures can be implemented.

Subnet Contacts: Specific to the UW, individuals who are registered with the C&C Network Operations Center as contacts for departmental subnets.

System: A network, computer, software package, or other entity for which there can be security concerns.

System Administrators: Individuals who support the operations and integrity of computing systems and their use. Their activities might include system installation, configuration, integration, maintenance, security management, and problem analysis and recovery. In addition, managing the computer network is often their responsibility in an inter-networked computing environment.

System Management: The activities performed by systems administrators.

System Operators: Individuals within the UW community who are accountable for the operational decisions about the use and management of a computing system. (See also System Owners.)

System Owners: Individuals within the UW community who are accountable for the budget, management, and use of one or more electronic information systems, electronic databases, or electronic applications associated with the UW. (See also System Operators.)

Technicians: Individuals who have technical knowledge about computers, software, hardware, operating systems, and networks (e.g., system administrators, system engineers, or network engineers).

Users: Any individual who has been granted privileges and access to UW computing and network services, applications, resources, and information.

UW-owned Network: A network where network components (including active elements such as routers and switches, transmission media, and network-attached computers) are owned and operated by the UW or units of the UW. A message that travels over UW-owned networks is, in general, on an open network and hence requires additional security measures to be considered secure.

UW Medicine: An affiliation of organizations including Harborview Medical Center, University of Washington Medical Center, University of Washington Physicians, and University of Washington School of Medicine.

Return to Table of Contents

Top of Page