(Approved by the President by authority of the Board of Regents, Standing Orders, Chapter 1)
Responsibility for protecting UW information systems and
data is shared by many entities and individuals throughout the University
including the Privacy Assurance and Systems Security Council (PASS Council),
the UW Privacy Officer, Computing & Communications Security Services,
the UW Medicine IT Services Security Infrastructure Team, and all UW system
owners, operators, data
custodians, and users. The following section describes
the specific roles and responsibilities of each of these groups.
| |
a. |
UW Privacy Assurance and Systems Security Council
(PASS Council)
The Privacy Assurance and Systems Security
Council (PASS Council) is an appointed administrative
authority whose role is to provide oversight and direction
regarding information systems security and privacy
assurance. The membership of the PASS Council is composed
of senior officials and management staff representing
key administrative areas of the UW's operations.
The responsibilities of the PASS Council
include the following:
|
| |
|
The Privacy Assurance and Systems Security
Council (PASS Council) is an appointed administrative
authority whose role is to provide oversight and direction
regarding information systems security and privacy
assurance. The membership of the PASS Council is composed
of senior officials and management staff representing
key administrative areas of the UW's operations.
The responsibilities of the PASS Council
include the following:
- Oversee the development, implementation, and maintenance
of a University-wide strategic information
systems security plan.
- Oversee the development, implementation, and enforcement of University-wide information systems
security policy and related recommended guidelines, operating procedures, and technical
standards.
- Oversee the process of handling requested policy exceptions
- Advise the University administration on related risk
issues and recommend appropriate actions in support of the UW's
larger risk management programs.
- Ensure related compliance requirements are addressed,
e.g., privacy, security,
and administrative regulations associated with the Health Insurance Portability and
Accountability Act (HIPAA) and other federal and state rules.
- Ensure appropriate risk mitigation and control processes
for security incidents as required.
|
| |
b. |
UW Privacy Officer
The privacy protection objectives of
the UW are critical to the success of the University's mission. The UW has
appointed a privacy officer as an integral component of its commitment
to protect privacy and comply
with all requirements for information systems protection. The role of the privacy officer
is to provide strategic oversight and coordination of the University's privacy protection
and compliance efforts. The privacy officer is appointed by the UW
president and must be a senior member of the administration. See the UW
Electronic Privacy Policy on Personally Identifiable Information for
detailed information about the privacy officer's specific duties.
The success of the privacy officer's efforts depends on strong support
from all system owners, operators, data custodians, and users throughout the UW.
|
| |
c. |
Computing and Communications Security Services
Computing and Communications (C&C) provides an active, key
role in computer security planning, analysis, prevention, incident response,
and technical education for the University community. Key groups within C&C
that provide this role are Security Operations, the Security Infrastructure
Team, Network Support Services, and others.
C&C's security responsibilities
include the following:
- Support for UW security policy development, implementation,
and enforcement.
- Support for UW strategic security planning and plan implementation.
- Development of security strategy in UW information systems
architecture.
- Support for security and privacy awareness and education
programs.
- Incident response services as needed.
- Computer forensic services as required.
- Security consulting services as needed.
- Support for the development and implementation of all appropriate
standards and guidelines as necessary.
C&C coordinates its administrative activities and incident
response procedures as necessary with both the privacy officer and the
PASS Council. In addition, it works closely with UW Medicine Information
Technology Services Security Infrastructure Team to ensure University-wide
service continuity and to leverage all mutually beneficial activities
and resources.
|
| |
d. |
UW Medicine IT Services Security Infrastructure Team
The UW Medicine Information Technology Services (IT Services) Security
Infrastructure Team provides a key role of centralized oversight, direction,
and support for all information systems security-related services for UW
Medicine. The group's responsibilities include the following:
- Support for UW Medicine security policy development, implementation,
and enforcement.
- Support for UW Medicine strategic security planning and
plan implementation.
- Support for security awareness and education programs.
- Incident response services as needed.
- Computer forensic services as required.
- Security consulting services as needed.
- Support for the development and implementation of all appropriate
standards and guidelines as necessary with the UW Medicine
community.
|
| |
|
The UW Medicine IT Services Security Infrastructure Team
works closely with C&C Security Operations to ensure University-wide
service continuity and to leverage all mutually beneficial activities
and resources.
The director of the UW Medicine IT Services Security Infrastructure
Team has review and decision authority over requests for exceptions to
information systems security policy within the UW Medicine environment,
unless privacy protection issues could be involved. The latter falls under
the administrative authority of the privacy officer and designated authorities
specified by the UW administration or the UW Medicine administration.
|
| |
e. |
System Owners and Operators
System owners and operators play a critical role in
protecting UW information systems and data. Their ranks might include members of the UW
professional staff, deans, department heads, faculty members, contracted employees,
or students.
System owners' and operators' areas of responsibilities
for systems and information security include the following:
- Comply with UW policies and statutory and regulatory requirements.
- Comply with UW guidelines related to logical and physical
security (see UW Guidelines for Implementing Systems
and Data Security Practices).
- Comply with "Guidelines for UW Computer Services Users."
- Maintain confidentiality of sensitive
data, especially personally identifiable information and
valuable intellectual property (see UW Guidelines for Implementing
Systems and Data Security Practices and UW Electronic Information Privacy Policy
on Personally Identifiable Information).
- Grant access to all users based on the principle of least
privilege where required.
- Grant access to all users based on the principle
of separation of duties where required.
- Submit documented reports to the appropriate authority
involving incidents of security breaches with the potential
to compromise personally identifiable information (see UW
Electronic Information Privacy Policy on Personally
Identifiable Information).
- Submit documented requests to the PASS Council of any desired exceptions to UW policy.
- Perform incident response activities when incidents involve their system(s).
- Specify security resources as required in University budget processes and in grant proposals.
All system owners and operators are encouraged to work closely with the PASS Council, UW privacy officer, data custodians, C&C Security Operations, and UW Medicine IT Services Security Infrastructure Team to help ensure the successful protection of UW computing resources and data.
|
| |
f. |
Data Custodians
Data custodians are individuals who have been officially
designated as accountable for specific data that is transmitted, used,
and stored on a system or systems within a department, college, school,
or administrative unit of the UW. The role of the data custodians
is to provide direct authority and control over the management and
use of specific information. These individuals might be deans, department
heads, managers, supervisors, or designated staff. They might serve
dual roles as a system owner or operator and a data custodian.
Data custodians must follow all appropriate and related
security guidelines to ensure the protection of sensitive data and
intellectual property residing on systems for which they have accountability
(see UW Guidelines for Implementing Systems and Data Security
Practices).
The UW Electronic Privacy Policy on Personally Identifiable
Information delineates the ultimate custodial authority for the various
types of personally identifiable information.
Data custodians' responsibilities include the following:
- Ensure compliance with all UW policies and all statutory
and regulatory requirements.
- Provide system owners and operators with requirements for access control measures to protect sensitive data.
- Ensure appropriate disposal of all media on which data
is stored at the end of its use.
- Ensure appropriate security measures for transmission of data.
- Support access control of data by acting as a control point for all access requests.
- Support regular review and control procedures that ensure
that all access privileges are current and appropriate.
- Submit documented reports to the appropriate authority if there is a possibility of compromise
of personally identifiable information (see UW Electronic Information Privacy Policy on
Personally Identifiable Information)
- Ensure that all access is granted based on the principle of least
privilege where required.
- Ensure that all access is granted based on the principle
of separation of duties where required.
Data custodians, in conjunction with the system owners and operators
and the UW privacy officer, are responsible for documenting any requested
exceptions to UW privacy protection policies. Documented exceptions must
be approved in writing by the authorized University officials responsible
for the electronic information to which the exception applies. Exceptions
will be considered only when warranted and only to the degree necessary
to achieve the mission and business needs of the University. Any and
all exceptions made must be documented with the Executive Vice President.
|
| |
g. |
Users
All users have a critical role in the effort to protect
and maintain UW information systems and data. Users of UW computing resources and data have the following
responsibilities:
- Support compliance with all federal and state statutes
and regulations.
- Comply with all UW policies and guidelines (see Guidelines for UW Computer Services Users and UW
Electronic Information Privacy Policy on Personally Identifiable Information).
- Protect against unauthorized access to accounts, privileges, and associated passwords.
- Maintain confidentiality of sensitive information to which
they are given access privileges.
- Accept accountability for all activities associated with individual user accounts and
related access privileges assigned to them.
- Restrict to authorized purposes the use of UW computers,
email, computer accounts, and networks and the information
accessed, stored, or used on any of these systems.
- Report all suspected security and/or policy violations
to an appropriate authority (e.g., manager, supervisor, system administrator, C&C Security Operations, or UW Medicine
IT Services Security Infrastructure Team).
- Report all known violations of privacy policy to the UW privacy officer.
Users are also required to follow all specific policies,
guidelines, and procedures established by the UW departments, schools,
colleges, or business units with which they are associated and that
have provided them with access privileges.
|