| University of Washington Administrative Policy Statements |
June 27, 2008 | 2.10.3 |
|
Table of Contents |
Minimum Data Security Standards:
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| a. | Records Management (Retention and Disposal of Data) This standards document is specific to measures and practices necessary for the protection of electronic UW data. Everyone who is accountable for the management or use of UW data must also become familiar with other University-wide and departmental policies and procedures related to records management that are published separately. These include records retention policy and procedures for the proper disposal of electronic media and paper records. For more information, see the General Records Retention Schedules. |
|||
| b. | System Owners and Data Custodians: Roles and
Responsibilities Section 6 of APS 2.1, "UW Information Systems Security," defines the specific roles and responsibilities of groups and individuals within the University. These roles and responsibilities form the basis of accountability for and functional requirements of the protection of UW information systems. The roles of the system owner and data custodian are key to successful data protection practices. All individuals who have been designated as a system owner and/or data custodian should review their responsibilities as specified in this set of standards, APS 2.1, "UW Information Systems Security," and the Minimum Computer Security Standards. |
|||
| c. | Access Control Principles A required measure for protecting both confidential and restricted data is an access control system that has physical, technical, and procedural elements. Any access control measure established by a system owner or data custodian must be implemented and maintained in compliance with the principle of least privilege and the principle of separation of duties (see Section 5, Definitions, in APS 2.1, "UW Information Systems Security"). |
|||
| d. | "Controlled" Computer All computer systems that host confidential data or applications that use restricted data must be carefully controlled in terms of their configuration, operation, maintenance, and security measures. |
|||
| #1 | Controlled computers will meet the UW Minimum Computer Security Standards. |
|||
| #2 | Controlled computers must be managed to professional standards, preferably by well-trained or certified employees or contractors with sufficient knowledge and resources to ensure that data on them are properly secured. |
|||
| #3 | Operating systems and applications on controlled computers must be patched to and maintained at the most current level provided by their manufacturers. |
|||
| #4 | Controlled computers should run no programs or services that are not necessary to their core purpose. For example, controlled computers that contain sensitive data should not run Web or file-sharing services, since these are frequently targeted and compromised by outsiders. Network-aware client software on controlled computers, such as Web browsers or email readers, should block the automatic execution of attachments, graphical files, or other common carriers of computer viruses, Trojans, or worms. |
|||
| #5 | Controlled computers must prevent unauthorized users from running programs or accessing raw data. For example, there should be no "guest," shared or general-purpose accounts on controlled computers. User accounts should be limited to the minimum necessary for the operation of the computer and its core functions. Accounts with substantial system-administration privileges should be granted only to a few individuals with general management responsibility for the systems in question, and never to individuals without UW faculty or staff appointments. In general, system-administrator and similar "root" accounts should be used only when strictly required, and never when use of a less privileged account could achieve the same purpose. |
|||
| #6 | User-authentication processes must encrypt or otherwise protect username and password exchanges from interception. In general, login or shell access to controlled computers must be restricted to the campus network and/or with secured remote access (security industry best practices) including two-factor authentication mechanisms. |
|||
| #7 | All user passwords associated with administrative access to controlled computers should meet or exceed UW policy for complexity guidelines. In addition, users with extensive access to controlled computers should avoid using the corresponding passwords for other purposes. |
|||
| #8 | Controlled computers must be reasonably secured against unauthorized access, including data interception and compromise. For example, controlled computers must connect to the network using technologies that are reasonably secure from sniffing, which excludes unencrypted hub or wireless connections. Controlled computers must run antivirus and anti-spyware software, updating definition files frequently. They should run host-based firewall or equivalent port-blocking software, configured to disable all ports not necessary for system functioning. |
|||
| #9 | Controlled computers must be provided physical security measures necessary to prevent theft, tampering, or destruction. |
|||
| #10 | Controlled computers must subscribe to a regimented backup process to ensure data integrity, system availability, and business continuity functions as required. |
|||
| e. | Controlled Application All applications that handle confidential data must be written in a way that ensures that the data is not inadvertently exposed, either through errors in design or coding or by not implementing appropriate security measures (e.g., encryption, authorization, and authentication). In addition, Web application code must meet Open Web Application Security Project standards (see Section 4.c, Item #2). |
|||