University of Washington
Administrative Policy Statements		 March 1, 2004 2.1.6

Table of Contents

1. Purpose

2. Applicability

3. Compliance

4. Authorities

5. Definitions

6. Roles and Responsibilities

7. Policy
      

UW Information Systems Security

(Approved by the President by authority of Executive Order No. 2)


6.   Roles and Responsibilities

Responsibility for protecting UW information systems and data is shared by many entities and individuals throughout the University including the Privacy Assurance and Systems Security Council (PASS Council), the UW Privacy Officer, Computing & Communications Security Services, the UW Medicine IT Services Security Infrastructure Team, and all UW system owners, operators, data custodians, and users. The following section describes the specific roles and responsibilities of each of these groups.

a.   UW Privacy Assurance and Systems Security Council (PASS Council)

The Privacy Assurance and Systems Security Council (PASS Council) is an appointed administrative authority whose role is to provide oversight and direction regarding information systems security and privacy assurance. The membership of the PASS Council is composed of senior officials and management staff representing key administrative areas of the UW's operations.

The responsibilities of the PASS Council include the following:

  • Oversee the development, implementation, and maintenance of a University-wide strategic information systems security plan.

  • Oversee the development, implementation, and enforcement of University-wide information systems security policy and related recommended guidelines, operating procedures, and technical standards.

  • Oversee the process of handling requested policy exceptions.

  • Advise the University administration on related risk issues and recommend appropriate actions in support of the UW's larger risk management programs.

  • Ensure related compliance requirements are addressed, e.g., privacy, security, and administrative regulations associated with the Health Insurance Portability and Accountability Act (HIPAA) and other federal and state rules.

  • Ensure appropriate risk mitigation and control processes for security incidents as required.

b.   UW Privacy Officer

The privacy protection objectives of the UW are critical to the success of the University's mission. The UW has appointed a privacy officer as an integral component of its commitment to protect privacy and comply with all requirements for information systems protection. The role of the privacy officer is to provide strategic oversight and coordination of the University's privacy protection and compliance efforts. The privacy officer is appointed by the UW president and must be a senior member of the administration. See the UW Electronic Privacy Policy on Personally Identifiable Information for detailed information about the privacy officer's specific duties.

The success of the privacy officer's efforts depends on strong support from all system owners, operators, data custodians, and users throughout the UW.

c.   Computing and Communications Security Services

Computing and Communications (C&C) provides an active, key role in computer security planning, analysis, prevention, incident response, and technical education for the University community. Key groups within C&C that provide this role are Security Operations, the Security Infrastructure Team, Network Support Services, and others.

C&C's security responsibilities include the following:

  • Support for UW security policy development, implementation, and enforcement.

  • Support for UW strategic security planning and plan implementation.

  • Development of security strategy in UW information systems architecture.

  • Support for security and privacy awareness and education programs.

  • Incident response services as needed.

  • Computer forensic services as required.

  • Security consulting services as needed.

  • Support for the development and implementation of all appropriate standards and guidelines as necessary.

C&C coordinates its administrative activities and incident response procedures as necessary with both the privacy officer and the PASS Council. In addition, it works closely with UW Medicine Information Technology Services Security Infrastructure Team to ensure University-wide service continuity and to leverage all mutually beneficial activities and resources.

d.   UW Medicine IT Services Security Infrastructure Team

The UW Medicine Information Technology Services (IT Services) Security Infrastructure Team provides a key role of centralized oversight, direction, and support for all information systems security-related services for UW Medicine. The group's responsibilities include the following:

  • Support for UW Medicine security policy development, implementation, and enforcement.

  • Support for UW Medicine strategic security planning and plan implementation.

  • Support for security awareness and education programs.

  • Incident response services as needed.

  • Computer forensic services as required.

  • Security consulting services as needed.

  • Support for the development and implementation of all appropriate standards and guidelines as necessary with the UW Medicine community.

The UW Medicine IT Services Security Infrastructure Team works closely with C&C Security Operations to ensure University-wide service continuity and to leverage all mutually beneficial activities and resources.

The director of the UW Medicine IT Services Security Infrastructure Team has review and decision authority over requests for exceptions to information systems security policy within the UW Medicine environment, unless privacy protection issues could be involved. The latter falls under the administrative authority of the privacy officer and designated authorities specified by the UW administration or the UW Medicine administration.

e.   System Owners and Operators

System owners and operators play a critical role in protecting UW information systems and data. Their ranks might include members of the UW professional staff, deans, department heads, faculty members, contracted employees, or students.

System owners' and operators' areas of responsibilities for systems and information security include the following:

  • Comply with UW policies and statutory and regulatory requirements.

  • Comply with UW guidelines related to logical and physical security (see UW Guidelines for Implementing Systems and Data Security Practices).

  • Comply with "Guidelines for UW Computer Services Users."

  • Maintain confidentiality of sensitive data, especially personally identifiable information and valuable intellectual property (see UW Guidelines for Implementing Systems and Data Security Practices and UW Electronic Information Privacy Policy on Personally Identifiable Information).

  • Grant access to all users based on the principle of least privilege where required.

  • Grant access to all users based on the principle of separation of duties where required.

  • Submit documented reports to the appropriate authority involving incidents of security breaches with the potential to compromise personally identifiable information (see UW Electronic Information Privacy Policy on Personally Identifiable Information).

  • Submit documented requests to the PASS Council of any desired exceptions to UW policy.

  • Perform incident response activities when incidents involve their system(s).

  • Specify security resources as required in University budget processes and in grant proposals.

All system owners and operators are encouraged to work closely with the PASS Council, UW privacy officer, data custodians, C&C Security Operations, and UW Medicine IT Services Security Infrastructure Team to help ensure the successful protection of UW computing resources and data.

f.   Data Custodians

Data custodians are individuals who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, college, school, or administrative unit of the UW. The role of the data custodians is to provide direct authority and control over the management and use of specific information. These individuals might be deans, department heads, managers, supervisors, or designated staff. They might serve dual roles as a system owner or operator and a data custodian.

Data custodians must follow all appropriate and related security guidelines to ensure the protection of sensitive data and intellectual property residing on systems for which they have accountability (see UW Guidelines for Implementing Systems and Data Security Practices).

The UW Electronic Privacy Policy on Personally Identifiable Information delineates the ultimate custodial authority for the various types of personally identifiable information.

Data custodians' responsibilities include the following:

  • Ensure compliance with all UW policies and all statutory and regulatory requirements.

  • Provide system owners and operators with requirements for access control measures to protect sensitive data.

  • Ensure appropriate disposal of all media on which data is stored at the end of its use.

  • Ensure appropriate security measures for transmission of data.

  • Support access control of data by acting as a control point for all access requests.

  • Support regular review and control procedures that ensure that all access privileges are current and appropriate.

  • Submit documented reports to the appropriate authority if there is a possibility of compromise of personally identifiable information (see UW Electronic Information Privacy Policy on Personally Identifiable Information).

  • Ensure that all access is granted based on the principle of least privilege where required.

  • Ensure that all access is granted based on the principle of separation of duties where required.

Data custodians, in conjunction with the system owners and operators and the UW privacy officer, are responsible for documenting any requested exceptions to UW privacy protection policies. Documented exceptions must be approved in writing by the authorized University officials responsible for the electronic information to which the exception applies. Exceptions will be considered only when warranted and only to the degree necessary to achieve the mission and business needs of the University. Any and all exceptions made must be documented with the Executive Vice President.

g.   Users

All users have a critical role in the effort to protect and maintain UW information systems and data. Users of UW computing resources and data have the following responsibilities:

  • Support compliance with all federal and state statutes and regulations.

  • Comply with all UW policies and guidelines (see Guidelines for UW Computer Services Users and UW Electronic Information Privacy Policy on Personally Identifiable Information).

  • Protect against unauthorized access to accounts, privileges, and associated passwords.

  • Maintain confidentiality of sensitive information to which they are given access privileges.

  • Accept accountability for all activities associated with individual user accounts and related access privileges assigned to them.

  • Restrict to authorized purposes the use of UW computers, email, computer accounts, and networks and the information accessed, stored, or used on any of these systems.

  • Report all suspected security and/or policy violations to an appropriate authority (e.g., manager, supervisor, system administrator, C&C Security Operations, or UW Medicine IT Services Security Infrastructure Team).

  • Report all known violations of privacy policy to the UW privacy officer.

Users are also required to follow all specific policies, guidelines, and procedures established by the UW departments, schools, colleges, or business units with which they are associated and that have provided them with access privileges.

Return to Table of Contents


Top of Page