(Approved by the Provost and Executive Vice President by authority of Executive Order No. 4, Senior Vice President for Finance and Facilities by authority of Executive Order No. 5, and the Vice President of UW Technology by authority of Executive Order No. 63)
This section outlines the controls that are necessary to implement the protective measures outlined in Section 4, Protective Measures for Data.
| a. | Records Management (Retention and
Disposal of Data) This standards document is specific to measures and practices necessary for the protection of electronic UW data. Everyone who is accountable for the management or use of UW data must also become familiar with other University-wide and departmental policies and procedures related to records management that are published separately. These include records retention policy and procedures for the proper disposal of electronic media and paper records. For more information, see the General Records Retention Schedules. |
|||
| b. | System Owners and Data Custodians:
Roles and Responsibilities Section 6 of APS 2.1, "UW Information Systems Security," defines the specific roles and responsibilities of groups and individuals within the University. These roles and responsibilities form the basis of accountability for and functional requirements of the protection of UW information systems. The roles of the system owner and data custodian are key to successful data protection practices. All individuals who have been designated as a system owner and/or data custodian should review their responsibilities as specified in this set of standards, APS 2.1, "UW Information Systems Security," and the Minimum Computer Security Standards. |
|||
| c. | Access Control Principles A required measure for protecting both confidential and restricted data is an access control system that has physical, technical, and procedural elements. Any access control measure established by a system owner or data custodian must be implemented and maintained in compliance with the principle of least privilege and the principle of separation of duties (see Section 5, Definitions, in APS 2.1, "UW Information Systems Security"). |
|||
| d. | "Controlled" Computer All computer systems that host confidential data or applications that use restricted data must be carefully controlled in terms of their configuration, operation, maintenance, and security measures. It is the responsibility of the owner of the controlled computer to ensure that all management requirements are met. Controlled computers must be managed with a level of care and professional support that includes the following: |
|||
| #1 | Controlled computers will meet
the UW
Minimum Computer Security Standards. |
|||
| #2 | Controlled computers must be managed to professional
standards, preferably by well-trained or certified employees or contractors with
sufficient knowledge and resources to ensure that data on them are properly
secured. |
|||
| #3 | Operating systems
and applications on controlled computers must be patched to and maintained at
the most current level provided by their manufacturers. |
|||
| #4 | Controlled computers should run no programs or
services that are not necessary to their core purpose. For example, controlled
computers that contain sensitive data should not run web or file-sharing services,
since these are frequently targeted and compromised by outsiders. Network-aware
client software on controlled computers, such as web browsers or email readers,
should block the automatic execution of attachments, graphical files, or other
common carriers of computer viruses, Trojans, or worms. |
|||
| #5 | Controlled computers must prevent unauthorized
users from running programs or accessing raw data.
For example, there should be no "guest," shared or general-purpose
accounts on controlled computers. User accounts should be limited to the minimum
necessary for the operation of the computer and its core functions. Accounts with
substantial system-administration privileges should be granted only to a few
individuals with general management responsibility for the
systems in question, and never to individuals
without UW faculty or staff appointments. In general, system-administrator and
similar "root" accounts should be used only when strictly required, and
never when use of a less privileged account could achieve the same purpose. |
|||
| #6 | User-authentication processes must encrypt or
otherwise protect username and password exchanges from interception. In general,
login or shell access to controlled computers must be restricted to the campus
network and/or with secured remote access (security industry best practices)
including two-factor authentication mechanisms. |
|||
| #7 | All user passwords associated with administrative
access to controlled computers should meet or exceed UW policy for complexity
guidelines. In addition, users with extensive
access to controlled computers should avoid using the corresponding passwords
for other purposes. |
|||
| #8 | Controlled computers must be reasonably secured
against unauthorized access, including data interception and compromise. For
example, controlled computers must connect to the network using technologies
that are reasonably secure from sniffing, which excludes unencrypted hub or
wireless connections. Controlled computers must run antivirus and anti-spyware
software, updating definition files frequently. They should run host-based
firewall or equivalent port-blocking software, configured to disable all ports
not necessary for system functioning. |
|||
| #9 | Controlled computers must be provided
physical security measures necessary
to prevent theft, tampering, or destruction. |
|||
| #10 | Controlled computers must subscribe to a
regimented backup process to ensure data integrity,
system availability, and business continuity
functions as required. |
|||
| e. | Controlled Application All applications that handle confidential data must be written in a way that ensures that the data is not inadvertently exposed, either through errors in design or coding or by not implementing appropriate security measures (e.g., encryption, authorization, and authentication). In addition, web application code must meet Open Web Application Security Project standards (see Section 4.c, Item #2). |
|||