University of Washington Policy Directory

Print This Page E-mail this Page
*Formerly part of the University Handbook
Administrative Policy Statement
2.6


Information Security Controls and Operational Practices

(Approved by the Vice President for UW Information Technology and Chief Information Officer by authority of Executive Order No. 63)



1.  Purpose

University of Washington (University) shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of institutional information that it creates, receives, maintains, or transmits.

This policy describes the information security controls used by the University to protect its institutional information, information systems, computerized devices, or infrastructure technology. The underlying principles of this policy are to achieve the ideal of access of least privilege and separation of duties for the creation, use, and dissemination of information. The following controls will be implemented based on the approved information security standards and will be commensurate with asset value and risk as determined by the Executive Heads of Major University Organizations.

2.  Scope

This policy is applicable to all the University.

3.  General Operational Controls

General operational controls include the appropriate security controls and operational practices for the University's networks, information systems, applications, and information throughout the institution. These controls must be defined, implemented, maintained, and include the following:

  • A change and configuration management process

  • A flaw remediation process

  • A malicious code and unauthorized software countermeasure process

  • A media and device handling and destruction process

  • Secure application development life cycle or system development life cycle process

  • Systematic backup process for critical information and software

  • Business disaster recovery and continuity plans

  • Information security technical architecture standards

  • Institutional hardware, software, system build, and maintenance standards

  • Acceptable use standards.

4.  Technical Security and Access Controls

Technical security and access controls restrict access to institutional information and systems in accordance with the University’s information security and privacy policies and standards. These controls must be defined, implemented, maintained, and include the following:

  • Remote and external access process

  • A cryptographic process and data protection standard

  • An access authorization process for all authorized users and information systems

  • An authentication mechanism for all authorized users and information systems

  • Network, system, and application level protection measures.

5.  Monitoring Controls

Monitoring controls define the event information that will be logged and monitored, and alert levels that will be triggered for incident response. These controls must be defined, implemented, maintained, and include the following:

  • Baseline measurement process for application, system, and network activity

  • Monitoring capability of critical systems

  • Intrusion detection mechanism

  • Logging process of network, systems, and applications.

6.  Physical Controls

Physical controls define the protection required for the data center, physical assets, critical information systems, and institutional information. These controls must be defined, implemented, maintained, and include the following:

  • Physical protection process for buildings that house critical information system facilities

  • Physical protection process for critical information systems and institutional information

  • Data destruction or disposal process

  • Physical access process of buildings that house critical information technology facilities

  • Physical security plan.

7.  Asset Identification Controls

Asset identification controls include the planning and operational procedures related to asset inventory, accountability, responsibility, and information classification. These controls must be defined, implemented, and maintained to identify, inventory, assign ownership, and classify institutional information and information systems using the following information classification scheme:

8.  Account and Identity Management Controls

Account and identity management controls govern the hiring, termination, and background checking procedures for the University’s workforce members. They also focus on identity and account management for all accounts such as employee, non-employee, system, or service accounts. These controls must be defined, implemented, maintained, and include the following:

  • Identity and eligibility verification and registration process

  • User and system account life cycle management process.

9.  Policy Maintenance

The University Chief Information Security Officer shall review and approve this policy statement at least every three years or more frequently as needed to respond to changes in the regulatory environment, prior to being sent for final approval by those who have been delegated executive authority. The University Chief Information Security Officer shall manage the review process.

10.  Additional Information

For information security standards and guidelines related to this policy, see the Privacy Assurance and Systems Security (PASS) Council website.

For additional resources or further information on this policy, see the Office of the University Chief Information Security Officer website, or contact the office as follows:

  • Phone: 206–685–0116
  • Campus mail: Box 352820
  • Email: ciso@uw.edu

June 20, 2012.