| University of Washington Administrative Policy Statements |
June 27, 2008 | 2.10.4 |
|
Table of Contents |
Minimum Data Security Standards:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| a. | Protective Measures for Public Data The UW's minimum computer security standards are required for all computer systems that host public data. In addition, public data must be protected by the specific measures identified in Section 4.d of this document, Reference Matrix for Data Protection Measures. |
||
| b. | Protective Measures for Restricted Data The UW's minimum computer security standards are required for all computer systems that host restricted data. In addition, restricted data must be protected by the specific measures identified in Section 4.d of this document, Reference Matrix for Data Protection Measures. |
||
| c. | Protective Measures for Confidential Data |
||
| #1 | The UW's minimum computer security standards are required for all computer systems that host confidential data. This basic requirement, along with several other specific measures, is identified in Section 4.d of this document, Reference Matrix for Data Protection Measures. |
||
| #2 | Applications that are linked to databases or data files that contain confidential data must meet the Open Web Application Security Project (OWASP) standards for secure coding. Owners of such applications are required to demonstrate compliance with these standards when audited or when requested by the UW Chief Information Security Officer (CISO). |
||
| #3 | Loading confidential data onto laptops and other portable computing and data storage devices (e.g., USB flash drives, CDs, PDAs, BlackBerries, etc.) is discouraged and restricted to unusual operational circumstances that require such action. If it is necessary to load confidential data on to a portable computing or portable data storage device, the data must comply with the encryption security measures in the table below and be password protected, or an equivalent access protection measure must be taken. A laptop or other portable computing device that has confidential data stored on it must be treated as a "controlled computer." It must also have additional security features to prevent unauthorized use of the system if it is lost or stolen. |
||
| #4 | Strong access control and management practices are required when non-UW employees (e.g. contractors, venders) are provided data access. UW system owners and data custodians must ensure that all such granted privileges are justified, controlled, and are limited to only what is absolutely necessary. If confidential data is shared or given to an outside organization as part of required business activity, a data sharing agreement (contract) specific to the data sharing activity must be implemented. It must include appropriate risk transfer language including: specific recitals that detail the data being shared, limits of its use, and related handling; indemnification terms; terms for oversight and verification of data protection measures that are agreed to be maintained. |
||
| d. | Reference Matrix for Data Protection Measures At a minimum, every computer on or directly connecting to the campus network that contains UW confidential or restricted data is required to be a "controlled computer" and must meet UW Minimum Computer Security Standards. In addition, the data on a UW computer may need to be protected with additional security measures, which are summarized in the matrix in the table below. |
||
| Protective Measures | Data Category | ||
| Confidential | Restricted | Public | |
| Minimum Computer Security Standards | Yes |
Yes |
Yes |
| Access Control Measures (Authorization) |
Yes (documented and audited for compliance once every three years) |
Yes (documented) |
Yes (limited to system administrators) |
| Log Reviews and Alerts | Logging alerts and regular reviews | Regular reviews | Basic logging and random periodic reviews |
| Authentication | Yes (two-layer minimum) |
Yes (two-layer recommended) |
Configure computer access to: yes for "write," none for "read"
|
| Firewall Protection | Yes (per controlled computer requirements) |
Yes | Yes (if feasible) |
| Backup and Recovery Processes |
Yes (per controlled computer requirements) |
Yes | Yes |
| Physical Security | Yes | Yes | Yes |
| Encryption (During Transmission) |
Yes | Recommended | No |
| Encryption (Storage/Backups) | Recommended | Optional | No |
| Encryption ("Data at Rest" on System) |
Recommended | Optional | No |
| Personnel Criminal Background Check |
Yes (as specified by UW Human Resources) |
Yes (as specified by UW Human Resources) |
Yes (as specified by UW Human Resources) |
| Data Sharing Agreements (with Business Partners, Venders and Others Who Are Given UW Data) | Yes | No | No |
| Audit of Security Measures | Yes (minimum of once every three years and more frequent audits, if possible) |
Yes (random sampling) |
Recommended (random sampling) |