University of Washington
Administrative Policy Statements		 March 1, 2004 2.1.7

Table of Contents

1. Purpose

2. Applicability

3. Compliance

4. Authorities

5. Definitions

6. Roles and Responsibilities

7. Policy
      

UW Information Systems Security

(Approved by the President by authority of Executive Order No. 2)


7.   Policy

The following section sets forth the UW's general policy regarding the security, availability, privacy, and integrity of its information systems, networks, and data. It stipulates specific policies for monitoring computing resources, managing electronic data and records, and controlling access to computing resources. In addition, it outlines minimum standards and practices for systems and network security.

a.   General Statement of Policy

It is the policy of the UW to ensure the security, availability, privacy, and integrity of its information systems, networks, and data and to ensure full compliance with all applicable federal and state statutes and regulations.

All providers and users of UW computing services, resources, and data are required to comply with all established policies, guidelines, and procedures, including applicable federal and state statutes and regulations.

The general policy outlined in this section is the foundation for all other policy statements, guidelines, and procedures that are developed and implemented within UW computing environments.

b.   Monitoring User Accounts, Files, and Access

The UW does not routinely inspect or monitor the use of computers. However, the normal operation and maintenance of UW computing and network resources require authorized UW staff to back up and cache data and communications, log activity, monitor general usage patterns, and perform other activities that are necessary for the delivery and availability of service.

Receipt of a report or discovery of inappropriate or unauthorized use of computing and network resources may trigger monitoring and investigation by authorized UW staff.

UW systems owners and operators may specifically monitor the activity of individual users including files, session logs, content of communications, and Internet access without notice, when:

  • The user's activity prevents access to computing and network resources by others.

  • General usage patterns indicate that unacceptable activity is occurring.

  • There is reasonable cause to believe that a user has violated or is violating policy or law.

  • It appears necessary to do so to protect the UW from liability.

  • It is required by and consistent with law.

Evidence of misuse of computing resources will be referred to appropriate UW officials. Evidence of possible criminal activity, which could include user files, email, and/or activity logs, will be turned over to appropriate UW and law enforcement officials.

c.   Electronic Data and Records Management

Much of the vast amount of electronic data generated throughout the University comprises official UW records and requires specific management and handling practices and procedures as defined by the UW and state law.

All UW system owners, operators, data custodians, and users are obligated to understand the nature of the data they generate, use, or store and to ensure that they are managing that data in full compliance with all state laws and UW records management policies. All UW system owners, operators, data custodians, and users are required to properly manage and protect electronic data they may be using, transmitting, and storing.

UW Records Management Services is the primary resource for information and support regarding these obligations. Specific information regarding what is defined as an official record of the UW, as well as retention, destruction, and archival requirements, is available through UW Records Management Services.

The University privacy officer and the UW Electronic Information Privacy Policy on Personally Identifiable Information are the primary sources for direction and information regarding personally identifiable information.

The document named UW Guidelines for Implementing Systems and Data Security Practices contains a table of security measures commensurate with data categories.

d.   Access Controls

The UW has hundreds of different computing environments hosted on University networks, and within UW departments, schools, and business units. These environments require different security measures. Consequently, access control measures required for establishing users' access to any UW computing resources should be commensurate with the functional nature and degree of criticality of the computer systems, network resources, and data involved.

All system owners, operators, and data custodians are responsible for ensuring that their systems are properly protected with appropriate access control measures based on the criticality of their systems and the data involved. The document named UW Guidelines for Implementing Systems and Data Security Practices provides direction on how to define the appropriate security measures for computing systems.

In addition, all computing systems hosted on UW networks must support and comply with the following fundamental access control measures, functions, and operating principles:

  • Systems are required to have an access control mechanism that allows for an appropriate level of authorization and allocation of system and data resources to individual users. Access mechanisms can be physical, transaction-based, role-based, time-based, user-based, or use any other reasonable control method appropriate for the systems' functions.

  • Shared systems are required to have the capability to log basic information about user access activity and to create historical logs and access violation reports.

  • System access accounts for users must be based on a unique identifier, and no shared account is allowed except as authorized by the system owner or operator and where appropriate accountability can be maintained.

  • Users' system access must be based on the principle of least privilege and the principle of separation of duties.

  • Computer applications must be developed and integrated in a way that maintains individual user accountability and audit capability.

  • Documented procedures should be in place for issuing, altering, and revoking access privileges on shared systems.

e.   Systems and Network Security

In light of the complex and diverse nature of the different computing environments hosted on UW networks and the wide range of statutory and regulatory compliance requirements, all systems and network security measures must be based upon the functional nature and degree of criticality of the computer systems, network resources, and data involved.

All system owners and operators are responsible for ensuring that they have implemented all necessary security measures. Failure to do so risks creating security breeches or other incidents and could lead to temporary restrictions or even suspension of access to UW network resources.

The document named UW Guidelines for Implementing Systems and Data Security Practices provides direction on how to define the appropriate security measures for computing systems.

1)

  

Systems Security—Minimum Measures and Practices

To protect the availability and integrity of UW computing resources, all computing systems and servers hosted on UW networks should comply with the following systems security measures and practices:

  • Operating systems and applications must be maintained with the timely application of all related vendor-issued patches necessary to prevent the systems from being compromised and/or causing disruptions of network services and/or other systems.

  • Externally accessible systems must install antivirus software and maintain procedures for regular signature updates.

  • Shared systems are required to have a technical access control mechanism that allows authorization and allocation of system and data resources to individual users.

  • Procedures must be maintained for regular backup of all data and system files necessary for discovery and recovery purposes. All backup media should be stored properly in a location authorized by the data owner with protections that allow access to the data by authorized personnel only. The ability to recover data from backups should be tested regularly.

  • Shared systems are required to have the capability to log basic information about user access activity, system changes, and events for the possible creation of historical logs and access violation reports. Logs must be monitored for intrusions or attempts at unauthorized access.

  • Systems must maintain a functioning and accurate system clock, since it is a critical element for the computer forensics and system logs that are essential for successful investigations.

  • Encryption capabilities (the ability to turn readable text into unreadable cipher text) must be used for systems that send or receive personally identifiable information that is transmitted over open networks like the Internet or UW-owned networks.

  • Critical servers must be housed in protected areas such as server sanctuaries (locations where suitable physical and logical security measures can be implemented). (See UW Guidelines for Implementing Systems and Data Security Practices.)
2)   Network Security—Minimum Measures and Practices

To protect the security, availability, and integrity of UW network resources, all computing systems and servers hosted on UW networks should comply with the following security measures and practices:

  • Support proactive vulnerability probing and reporting by UW authorized technicians to help manage system security needs.

  • Use secure protocols (e.g., SSL/SSH/Kerberos) for accessing all services that require authentication.

  • Report all security breaches to the appropriate security entity (C&C Security Operations, UW Medicine IT Services Security Infrastructure Team, and/or the UW privacy officer).

  • Display security-warning banners prior to allowing the access log-on process to be initiated on systems running applications that are accessible on the UW-owned network. These security banners must inform all users that the system or application being accessed is proprietary, that it should be accessed only by authorized users, and that system use is monitored for enforcement purposes.

f.   Physical Security

Physical security measures are an important part of any effort to protect information system assets and services. As with logical security measures at the UW, the physical security measures required for protecting UW computing resources must be commensurate with the nature and degree of criticality of the computer systems, network resources, and data involved.

The UW has a wide spectrum of information systems deployments. They include:

  • Large data-center facilities.

  • Modest-sized server rooms.

  • Small sets or individual departmental servers located in all manner of office environments.

  • Computer labs.

  • Telecommunications closets and vaults of all shapes and sizes.

  • Media storage areas.

  • Desktop computer workstations and printers.

  • Wireless and mobile systems.

These technology deployments require different physical security measures. These measures are especially important when sensitive information is involved. All system owners and operators are responsible for ensuring that they have implemented the appropriate physical security measures for their particular computing environment. All users are required to respect the physical security measures in place.

The following physical security measures and objectives should be implemented where applicable to protect UW computing and network assets and sensitive information:

  • Physical access control measures sufficient to prevent UW assets from unnecessary and unauthorized access, use, misuse, vandalism, or theft.

  • Computer rooms and telecommunications closets located away from heavy traffic patterns and not advertised.

  • When appropriate, physical security measures should be in accordance with standards specified in the current edition of the National Fire Protection Association (NFPA) publication No. 75, Protection of Electronic Computing/Data Processing Equipment, and by Occupational Safety & Health Administration (OSHA) Safety and Health Standards. This is particularly important for data-center facilities.

  • Certified smoke and fire-alarm and fire-suppression systems for data centers, server rooms, telecommunication closets, and vaults to mitigate potential damage to UW assets in the event of a fire.

  • Environmental control measures (e.g., power supply, heating, ventilation, air conditioning, plumbing, and physical location) sufficient to protect UW assets from preventable service disruptions or harm.

  • Departmental and general access labs monitored and secured when not open for use.

  • Inventory control measures (e.g., asset tags or other identification markings) for tracking and accounting for UW assets.

  • Secured off-site data/media storage and procedures that meet all archival, backup, and recovery needs for UW computing and network operations.

  • Specific procedures for users of UW laptops, wireless services, and other mobile computing devices such as PDAs to prevent the theft or compromise of these devices.

Tools, systems, or procedures implemented to meet physical security requirements should be selected based on their cost-effectiveness and appropriate level of ability to protect UW assets.

g.   Personnel Security Measures

This section outlines security measures and procedures that should be established and maintained when working with UW personnel throughout the employment process and when dealing with vendors, contractors, and temporary employees.

1)

  

Measures for Hiring Employees

Comprehensive pre-employment screening is recommended for all potential candidates for key technical positions when those positions include an actual or potential wide span of systems control, and/or access to sensitive information, especially personally identifiable information or UW financial information. This screening could include checking and confirming references, background checks for criminal convictions (both federal and local, as necessary), and reviewing educational records and credit reports. All hiring officials should consider using such screening practices when hiring for key technical positions, regardless of employee type (contract, classified, professional, academic, or temporary).

All pre-employment inquiries must be conducted in full compliance with official UW guidelines established by UW Human Resources and in full compliance with state and federal laws. All hiring officials, managers, or others must work closely with UW Human Resources when engaging in any hiring process.

All UW departments, colleges, schools, and business units should have procedures in place to provide new employees with information about user responsibilities and guidelines associated with their assigned computer and network privileges and resources, including access to this document and related departmental policies, procedures, and guidelines. Appropriate supervision of new employee access to systems and data should be standard practice. New employees should be made aware that secure computing practices will be part of their performance reviews.

All physical and logical access to computing and network facilities and resources should be assigned in accordance with the principle of least privilege and principle of separation of duties.
2)   Measures for Separating Employees

All UW departments, colleges, schools, and business units should establish and maintain processes and procedures to properly and quickly close and remove all computing system and network privileges and resources when an employee is separated, even if the employee is going to another job within the UW. These processes and procedures should include the following:

  • The separated employee's immediate manager is responsible for notifying all system owners and operators, or the designated system administrator handling the computer or communications accounts, to close all related accounts and remove all access capabilities related to the separated employee.

  • Separated employees may not retain, give away, or remove from UW premises any UW information (electronic or hard copy) other than personal copies of information disseminated to the public and personal copies of correspondence directly related to the terms and conditions of their employment. All other UW information in the custody of the departing employee must be turned over to the employee's immediate supervisor at the time of departure.

  • At the time of separation, all UW property must be returned. This includes portable computers, printers, modems, software, cellular telephones, digital pagers, PDAs, documentation, building keys, lock combinations, encryption keys, and access cards.
3)   Measures for Employees on Leave or Suspension

All UW departments, colleges, schools, and business units should establish and maintain processes and procedures to properly and quickly close and remove all computing system and network privileges and resources when an employee is suspended or is taking an extended leave of absence (including long-term illness or disability). It is important to use the same security measures for suspended employees as are used for separating employees. In addition, extended leaves of absence may require these measures, at the supervisor's discretion, taking into consideration such factors as level of access, nature and scope of computer applications and permissions, and duration of absence.

4)   Measures for Vendors

Vendors with access to computers and networks should meet many of the same standards placed on employees. They should understand the security policies and practices. Their access should be limited to just what is necessary for them to meet their contract requirements. When appropriate, vendors should be escorted into physically restricted areas. When their job is complete, they should return all access devices, and their log-on privileges should be terminated.

h.   Policy Enforcement

Individuals who violate this policy may be denied access to UW computing and network resources and may be subject to other penalties and disciplinary action within and outside the UW. Departmental managers are expected to work with appropriate UW resources in investigating and addressing suspected violation of this policy. Such resources include, but are not limited to, UW Internal Audit, UW Risk Management, UW Police Department, departmental managers, UW Human Resources, and Student Affairs.

The UW may temporarily suspend, block, or restrict access to computing resources and accounts at any time when it reasonably appears necessary to do so in order to protect the integrity, security, or availability of UW computing and network resources or to protect the UW from liability. The UW will refer suspected violations of applicable law to appropriate law enforcement agencies.

In general:

  • If violations of this policy are minor and unintentional, the UW will take appropriate actions to resolve the issue, and violators may be subject to disciplinary measures.

  • If violations of this policy are a result of negligent or deliberate acts, the UW will take appropriate actions to resolve the issue including disciplinary measures up to and including termination of employment or expulsion.

  • In addition to any other measures taken, if violations of this policy are a result of suspected illegal activities, the UW will notify appropriate University authorities and law enforcement agencies.

The UW reserves the right to pursue appropriate legal actions to recover any financial losses suffered as the result of violations of this policy.

i.   Policy Maintenance

This policy and the related guidelines will be reviewed yearly. A major security compliance audit must take place every three years.

Return to Table of Contents


Top of Page