(Approved by the Vice President for UW Information Technology and Chief Information Officer by authority of Executive Order No. 63)
University of Washington shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of institutional information that it creates, receives, maintains, or transmits.
This policy describes the information security controls used by the University to protect its institutional information, information systems, computerized devices, or infrastructure technology. The underlying principles of this policy are to achieve the ideal of access of least privilege and separation of duties for the creation, use, and dissemination of information. The following controls will be implemented based on the approved information security standards and will be commensurate with asset value and risk as determined by the Executive Heads of Major University Organizations.
This policy is applicable to all of the University.
The Executive Heads of Major University Organizations are responsible for the risks associated with their assets. They must document and implement an Information Security Plan (Plan) that demonstrates due care in securing their assets by meeting the intention of the controls in this policy statement. The Plan must address each of the requirements in this policy statement and include the following:
For Plan templates and information security guidelines related to this policy statement, see the Office of the University Chief Information Security Officer website.
General operational controls include the appropriate security controls and operational practices for the University's networks, information systems, applications, and information throughout the institution. These controls must be defined, implemented, maintained, and include the following:
Technical security and access controls restrict access to institutional information and systems in accordance with the University's information security and privacy policies and standards. These controls must be defined, implemented, maintained, and include the following:
Monitoring controls define the event information that will be logged and monitored, and alert levels that will be triggered for incident response. These controls must be defined, implemented, maintained, and include the following:
Physical controls define the protection required for the data center, physical assets, critical information systems, and institutional information. These controls must be defined, implemented, maintained, and include the following:
Asset identification controls include the planning and operational procedures related to asset inventory, accountability, responsibility, and information classification. These controls must be defined, implemented, and maintained to identify, inventory, assign ownership, and classify institutional information and information systems using the following information classification scheme:
Account and identity management controls govern the hiring, termination, and background checking procedures for the University's workforce members. They also focus on identity and account management for all accounts such as employee, non-employee, system, or service accounts. These controls must be defined, implemented, maintained, and include the following:
The University Chief Information Security Officer shall review and approve this policy statement at least every three years or more frequently as needed to respond to changes in the regulatory environment, prior to being sent for final approval by those who have been delegated executive authority. The University Chief Information Security Officer shall manage the review process.
For additional resources or further information on this policy statement, see the Office of the University Chief Information Security Officer website.
June 20, 2012; October 28, 2013.