(Approved by the Vice President for UW Information Technology and Chief Information Officer by authority of Executive Order No. 63)
University of Washington (University) shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of institutional information that it creates, receives, maintains, or transmits.
This policy describes the information security controls used by the University to protect its institutional information, information systems, computerized devices, or infrastructure technology. The underlying principles of this policy are to achieve the ideal of access of least privilege and separation of duties for the creation, use, and dissemination of information. The following controls will be implemented based on the approved information security standards and will be commensurate with asset value and risk as determined by the Executive Heads of Major University Organizations.
This policy is applicable to all the University.
General operational controls include the appropriate security controls and operational practices for the University's networks, information systems, applications, and information throughout the institution. These controls must be defined, implemented, maintained, and include the following:
Technical security and access controls restrict access to institutional information and systems in accordance with the University’s information security and privacy policies and standards. These controls must be defined, implemented, maintained, and include the following:
Monitoring controls define the event information that will be logged and monitored, and alert levels that will be triggered for incident response. These controls must be defined, implemented, maintained, and include the following:
Physical controls define the protection required for the data center, physical assets, critical information systems, and institutional information. These controls must be defined, implemented, maintained, and include the following:
Asset identification controls include the planning and operational procedures related to asset inventory, accountability, responsibility, and information classification. These controls must be defined, implemented, and maintained to identify, inventory, assign ownership, and classify institutional information and information systems using the following information classification scheme:
Account and identity management controls govern the hiring, termination, and background checking procedures for the University’s workforce members. They also focus on identity and account management for all accounts such as employee, non-employee, system, or service accounts. These controls must be defined, implemented, maintained, and include the following:
The University Chief Information Security Officer shall review and approve this policy statement at least every three years or more frequently as needed to respond to changes in the regulatory environment, prior to being sent for final approval by those who have been delegated executive authority. The University Chief Information Security Officer shall manage the review process.
For information security standards and guidelines related to this policy, see the Privacy Assurance and Systems Security (PASS) Council website.
For additional resources or further information on this policy, see the Office of the University Chief Information Security Officer website, or contact the office as follows:
June 20, 2012.