Administrative Policy Statement

2.4

Information Security and Privacy Roles, Responsibilities, and Definitions

(Approved by the Chief Health System Officer, UW Medicine and Vice President for Medical Affairs by authority of Executive Order No. 1; the Provost and Executive Vice President by authority of Executive Order No. 4; and the Vice President and Vice Provost for UW Information Technology by authority of Executive Order No. 63)

1. Purpose

The University of Washington's (University) policy statements on information security and privacy included in the University Administrative Policy Statements (APS) establish the principles of confidentiality, integrity, and availability for University institutional information, infrastructure technology, and information systems.

This policy statement establishes roles, responsibilities, and definitions that are used in all the University policies on information security and privacy as well as standards and guidelines issued pursuant to University rules or policies.

Figure 1 below illustrates the flow of University information covered in this policy statement.

2. Roles and Responsibilities

Individuals across the University have the following responsibilities for information security and privacy.

Figure 2 below illustrates the strategic, tactical, and operational relationships of the different information security and privacy roles.

	a.	Privacy Assurance and Systems Security Council The Privacy Assurance and Systems Security Council (PASS Council) provides institutional oversight and advisory services for information security and privacy. The responsibilities of the PASS Council include: Develop, implement, and maintain University-wide strategic plans for information security and privacy; Develop, implement, and maintain University-wide information security and privacy policies, standards, guidelines, and operating procedures related to University technology and institutional information in any form (e.g. electronic or paper); Approve information security and privacy policy exceptions; Coordinate compliance requirements related to information security and privacy laws and regulations that impart a duty upon the University; Oversee related institutional risk issues and provide appropriate recommendations in support of the University's larger risk management programs and objectives; and Recommend risk mitigation and control processes for information security and privacy incidents. The membership of the PASS Council is composed of senior officials and management staff representing key areas of the University.
	b.	University Chief Information Security Officer The University Chief Information Security Officer is responsible for information assurance vision, strategy, and coordination across the University. The responsibilities of the University Chief Information Security Officer include: Coordinate and document information assurance program activities; Oversee the creation and maintenance of the University information security and privacy related policies, standards, and guidelines; Oversee institutional risk assessments related to University information security and privacy practices; Provide support for compliance with information security and privacy related laws, regulations, standards, and contractual requirements; Provide oversight and direction for information security and privacy incident investigations, including incident management and determination of notification requirements; Serve as the University's liaison with law enforcement, and other outside authorities, who may need to be informed about an information security and privacy incident; and Collaborate with the University Privacy Official, University Facility Security Officer, and other individuals as appropriate to develop and maintain an authoritative list of information security and privacy laws that impart a duty upon the University.
	c.	University Privacy Official The University Privacy Official oversees the University rules or policies, procedures, and enforcement efforts relating to privacy. The responsibilities of the University Privacy Official include: Coordinate and document privacy program activities among the UW Medicine and non-UW Medicine healthcare components of the University as required by the Health Insurance Portability and Accountability Act (HIPAA); Approve the University-wide privacy program policies and procedures; Oversee institutional risk assessments related to the University privacy practices; Work closely with senior administrators and compliance staff to enforce privacy program policies; Provide oversight and direction for information security and privacy incident investigations, including incident management and determination of notification requirements; and Collaborate with other University officials who have delegated responsibility for specific types of personally identifiable information when there are mutual concerns, system-wide policy needs, and the need to respond to urgent or emergent issues.
	d.	Chief Privacy Officer for the Non-UW Medicine Components of the Hybrid Entity Under delegated authority from the University Privacy Official, this officer provides oversight and direction for information security and privacy incident investigations, including determination of notification requirements involving protected health information (PHI) for the non-UW Medicine healthcare components of the hybrid entity. See University of Washington HIPAA Designation for a list of the non-UW Medicine healthcare components of the hybrid entity. Also see UW Medicine Privacy Policies.
	e.	Chief Privacy Officer for UW Medicine Under delegated authority from the University Privacy Official, this officer provides oversight and direction for information security and privacy incident investigations, including determination of notification requirements involving protected health information (PHI) for UW Medicine. See University of Washington HIPAA Designation for a list of the non-UW Medicine healthcare components of the hybrid entity. Also see UW Medicine Privacy Policies.
	f.	Data Trustees Data trustees are high-level employees (e.g., chancellors, vice presidents, vice provosts, and deans) appointed by and reporting to the President or Provost and Executive Vice President. The responsibilities of the data trustees include: Authorize policies, standards, and guidelines regarding business definitions of information, and the access and usage of that information, within their delegations of authority; and Appoint data custodians for their subject area domains.
	g.	Managerial Group for Classified Research and Contracts The Managerial Group for Classified Research and Contracts includes the President, the Vice Provost for Research, or his or her designee, and the University Facility Security Officer. The Managerial Group for Classified Research and Contracts is responsible for the negotiation, execution, and administration of classified United States government contracts at the University. The Managerial Group for Classified Research and Contracts provides oversight and direction for information security and privacy incidents involving national security information.
	h.	University Facility Security Officer The University Facility Security Officer is responsible for directing and managing all aspects of the University's classified security program, including physical, personnel, computing, and special security. The University Facility Security Officer coordinates with and reports to appropriate federal agencies regarding issues and incidents related to national security information provided to or developed by the University under the University's classified contracts. The responsibilities of the University Facility Security Officer include: Manage the creation and maintenance of University policies, standards, and guidelines related to national security information; Review and approve plans and procedures related to the protection of national security information at the University and within the University's organizational areas (e.g. colleges, schools, departments); and Serve as the University's liaison with law enforcement and other outside authorities who need to be informed about an information security and privacy incident.
	i.	Data Management Committee The Data Management Committee (DMC) is chartered by the Provost and Executive Vice President to address data stewardship responsibilities for the University. The scope of the charge is inclusive of all three campuses, remote sites, medical centers, and all academic support (fee-based) units. The responsibilities of the DMC include: Review and document business processes, data definitions, data dictionaries, data warehouse elements and uses, and business intelligence tools; Recommend University-wide standards for data administration aspects of business processes, data definitions, data dictionaries, data warehouse elements and uses, and business intelligence tools; Adopt, communicate, and oversee implementation of University-wide standards for data administration aspects of business processes, data definitions, data dictionaries, data warehouse elements and uses, and business intelligence tools; Engage in priority setting and policy setting as related to the above; and Recommend and coordinate structures and subcommittees necessary to accomplish the charge and related tasks outlined above.
	j.	Data Custodians Data custodians are appointed by and report to the data trustees. Data custodians have knowledge of and work in accordance with numerous University rules and policies across the University, including University policies on information security and privacy. The responsibilities of data custodians include: Help define, interpret, implement, and enforce University policies, standards, and guidelines for institutional information within their purview; Identify systems of record containing institutional information; Categorize institutional information within systems of record as public, restricted, or confidential according to University policies on information security and privacy; and Define access, quality, and usage standards and guidelines for institutional information.
	k.	Executive Heads of Major University Organizations The executive heads of major University organizations are chancellors, vice presidents, vice provosts, deans, the Executive Director of Health Sciences Administration, and other individuals with delegated executive authority. These individuals, or their designee(s), have the following responsibilities: Oversee the confidentiality, integrity, and availability of information or information systems; As needed, develop, implement, and maintain policies, standards, or guidelines for information security and privacy that are consistent with the University rules or policies on information security and privacy and the University standards and guidelines issued pursuant to the University rules or policies; Formally request exemptions to the University policies using the process set forth in Section 4 of this policy statement; Be accountable for risks, compliance obligations, budgets, and financial costs associated with University information security and privacy, including information security and privacy incidents and information security breaches within the organizational area(s) for which they are responsible; Follow the direction of the University Chief Information Security Officer, the University Privacy Official, or his or her designee, or the University Facility Security Officer in connection with an information security and privacy incident investigation, and direct others to do so; and Formally appoint, or have their designee(s) formally appoint, one or more information assurance liaisons and system owners for information system(s) for which they are responsible.
	l.	Incident Manager An incident manager is assigned by the University Chief Information Security Officer, the University Privacy Official, or his or her designee, or the University Facility Security Officer on a per incident basis. Where required for incidents involving national security information, the incident manager shall be an authorized person. The responsibilities of the incident manager include: Under the direction of the designated official, manage and coordinate incident response, communication, and notification; and Coordinate incident documentation and documentation retention activities.
	m.	Subject Matter Experts The subject matter experts provide oversight and direction on compliance with information security and privacy laws and regulations that impart a duty upon the University.
	n.	System Owners System owners are formally appointed by and report to the executive heads of major University organizations or their designee(s). The responsibilities of the system owners include: Manage the confidentiality, integrity, and availability of the information systems for which they are responsible. This shall include developing and implementing a process for managing access to information systems for which they are responsible, and other processes or controls in compliance with University policies on information security and privacy; Advise executive heads of major University organizations on the financial resources necessary to develop and implement information systems and controls, including those specifically required by grants or contracts; Maintain critical information system documentation; and Formally appoint and delegate responsibility to system operators.
	o.	System Operators System operators are formally appointed by and report to system owners. Where required for information systems involving national security information, a system operator shall be an authorized person. The responsibilities of the system operators includes: Making and being accountable for operational decisions about the use and management of an information system; and Responsibilities as delegated by system owners.
	p.	Information Assurance Liaisons Information assurance liaisons are formally appointed by and report to executive heads of major UW organizations or their designee(s). Where required for national security information, an information assurance liaison shall be an authorized person. The responsibilities of the information assurance liaisons include: Serve as a point of contact for the University information security and privacy related committees and officials as well as for the organizational area(s) for which they are responsible in matters related to information security and privacy; Communicate with and educate workforce members regarding the confidentiality, integrity, and availability of institutional information, information systems, and relevant University rules or policies, as well as the policies, standards, and guidelines for the organizational area(s) for which they are responsible; Facilitate requests for access to information systems upon request by the data custodians, system owners, and managers, including, but not limited to, obtaining proper approval and determining appropriate access needs for staff; and Facilitate resolution of information security and privacy issues for the organizational area(s) for which they are responsible.
	q.	Workforce Members Workforce members are employees, trainees, students, volunteers, and other entities or persons who perform work for the University. Workforce members shall consult with and follow the applicable laws, regulations, and University rules or policies. In addition, workforce members shall consult applicable University standards and guidelines. Workforce members shall only access and use University information systems and institutional information to fulfill authorized job duties or activities for the University. Other than as allowed by law, when University employees (who are workforce members) provide a third party access to or use of institutional information covered by University rules or policies, the employees shall include terms and conditions in an agreement or contract that require compliance with applicable information security and privacy laws and University rules or policies.

3. Definitions

The following are definitions for terms used in the University policies on information security and privacy as well as standards and guidelines issued pursuant to the University rules or policies.

Access control system: Physical, administrative, or technical controls that grant and restrict individual access to information systems.

Authentication: A systematic method for establishing proof of individual identity when an individual accesses an information system.

Authorization: The process to define which individuals are allowed access to an information system and what privileges are allowed for each individual.

Authorized person: An individual authorized to access national security information when the individual:

Has the requisite U.S. government security clearance, formal access approvals, and need-to-know for access to U.S. government classified information;
Meets the conditions that define a "United States person" (as defined in the Export Administration Regulations or International Traffic in Arms Regulations), or is covered under the terms and conditions of an export control license for access to export-controlled information; and
Is a University employee for access to sensitive unclassified information that is not limited under export control regulations.

Availability: Information and information systems are accessible by authorized individuals.

Computerized devices: A machine that includes or attaches to a computer. Examples include, but are not limited to, medical devices, smart phones, or PDAs.

Confidential information: Information that is very sensitive in nature and typically subject to federal or state regulations. Unauthorized disclosure of this information could seriously and adversely impact the University or the interests of individuals and organizations associated with the University.

To avoid confusion with federal Executive Order 12958 for classified national security information, confidential documents and data may be labeled "UW Confidential."

Confidentiality: Information or information systems are not accessed, acquired by, used, or disclosed to unauthorized parties.

Guideline(s): An approved and published recommendation, advisement, procedure, or outline explaining how University rules or policies or standards may be implemented.

Incident(s): See definition for information security and privacy incident(s).

Information security and privacy incident(s): An event that adversely impacts the confidentiality, integrity, or availability of institutional information, infrastructure technology, or information systems.

Information security breach: Unauthorized access, acquisition, use, or disclosure of confidential information or an information system that contains confidential information.

Information system(s): An assembly of electronic components that supports an operational role or accomplishes a specific objective. This may include a discrete set of information resources (e.g., network, server, computer, software, application, operating system, or storage device) organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. These information resources may be under common management control or perform a common function.

Infrastructure technology: An electronic hardware device organized for the processing, maintenance, or management of an operational function (e.g., an HVAC).

Institutional information: All information which is created, received, maintained, or transmitted by the University. Institutional information can be contained in any form, including, but not limited to, documents, databases, spreadsheets, email, or websites; represented in any form, including, but not limited to, letters, numbers, words, pictures, sounds, symbols, or any combination thereof; communicated in any form, including, but not limited to, handwriting, printing, photocopying, photographing, or web publishing; and recorded upon any form, including, but not limited to, papers, maps, films, prints, discs, drives, memory sticks, or other information systems.

Integrity: Information or information systems that have not been altered or corrupted by chance or by malice.

National security information: United States government classified information and sensitive unclassified information.

Personally identifiable information (PII): Any information that directly relates to an individual and is reasonably likely to enable identification of that individual or information that is defined as PII and subject to protection by the University under federal or state law.

Policy statement: The published document in which the University's policies are stated. See also: University rules or policies.

Principle of least privilege: Access privileges to any University information system or institutional information for any individual shall be limited to only what they need to have to be able to complete their assigned duties or functions.

Principle of separation of duties: Whenever practical, no one person shall be responsible for completing or controlling a task, or set of tasks, from beginning to end when it involves the potential for fraud, abuse, or other harm.

Protected health information (PHI): See Glossary of Terms for UW Medicine Privacy Policies.

Public information: Information that is published for public use or has been approved for general access by the appropriate University authority.

Restricted information: Information that is circulated on a need-to-know basis or sensitive enough to warrant careful management and protection to safeguard its integrity and availability, as well as appropriate access, use, and disclosure.

Sensitive unclassified information (SUI): Unclassified information that does not meet the standards for national security classification, but is pertinent to the national interests of the United States, and requires, under law or University rules or policy, protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. SUI includes:

Export controlled information, whether or not it is related to a classified contract;
Unclassified information that has been marked with United States government distribution limitations, whether or not it is related to a classified contract; and
All unclassified information related with a classified contract that has not been approved for public release.

Standard(s): An approved and published explanation that elaborates on a rule or policy. Violations of standards may result in discipline or loss of University privileges.

Subject area domains: Institutional information is classified according to specific high-level subject area domains for the purpose of assigning accountability and responsibility over that data. The subject area domains are defined in the University Data Map. Examples of high-level subject area domains are Human Resources, academics, financial resources, University Advancement, etc. The University Data Map further defines specific business domains within each subject area domain. Examples of business domains within the academics subject area domain are curriculum and courses, financial aid, applications admissions and enrollments, transcripts, degrees, and awards, etc.

System of record: An information system that is designated by the University data custodians as holding official values of institutional information. Official values are the data designated as the most accurate representation of the meaning and context of institutional information elements, which are recorded as facts. Official values are not necessarily the originally entered values, and as such, a system of record may not necessarily be the system where values are originally entered. When questions arise over the meaning or interpretation of data elements, or their values, the system of record is used to resolve discrepancies.

United States (U.S.) government classified information: Official information, owned by the U.S. government or entrusted to the U.S. government by another country, that has been determined, pursuant to U.S. Presidential Executive Order 12958 or any predecessor order, to require protection against unauthorized disclosure in the interest of national security and which has been so designated. The three levels of classification defined by Executive Order 12958 are CONFIDENTIAL, SECRET, and TOP SECRET.

University rules or policies: An approved and published set of University rules, orders, codes, or policies. Violations of a University rule or policy may result in discipline or loss of University privileges.

Users: Any individual that has been granted access and privileges to information systems or institutional information.

4. Exemptions

A written request for an exemption to the University policies on information security and privacy or a standard issued pursuant to the University rules or policies shall be submitted for review and potential approval to the University Privacy Official, University Chief Information Security Officer, and the Managerial Group for Classified Research and Contracts. As needed, the University Privacy Official, University Chief Information Security Officer, and the Managerial Group for Classified Research and Contracts will collaborate with the PASS Council.

5. Policy Maintenance

The University Privacy Official, the University Chief Information Security Officer, and the Managerial Group for Classified Research and Contracts shall review and approve this policy statement at least every three years or more frequently as needed to respond to changes in the regulatory environment, prior to being sent for final approval by those who have been delegated executive authority. The University Chief Information Security Officer shall manage the review process.

6. Enforcement

The individuals with responsibility to enforce the University policies on information security and privacy are identified herein or in a specific policy statement.

Failure by an individual to comply with the University policies on information security and privacy may result in disciplinary action up to and including termination for University employees, contract termination in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student.

The University reserves the right to pursue appropriate legal actions to recover any financial losses suffered as the result of a violation of the University policies on information security and privacy.

7. Additional Information

For further information on this policy statement contact:

Phone: 206–685–0116

Campus mail: Box 352820

Email: ciso@uw.edu

Phone: 206-543-3098

Campus mail: Box 358049

Email: comply@uw.edu

Phone: 206-543-1315

Campus mail: Box 355640

Email: uwfso@uw.edu

November 4, 2011; RC, June 20, 2012.

University of Washington Policy Directory