PASS Council Charter

Privacy Assurance and Systems Security Council
(PASS Council)

Approval 9/27/01; Last Revision 9/12/03

Sponsors in 2001:
Lee Huntsman, Provost
Weldon Ihrig, Executive Vice President
Ron Johnson, Vice President for Computing and Communications
Paul Ramsey, Vice President for Medical Affairs & Dean of Medicine

Included on this page:

• Goal
• Objective
• Members
• Advisors
• Scope
• Constraints
• Assumptions
• Resources
• Deliverables
• User Input

Goal:

Create a safe, compliant, and risk managed computing and networking environment by establishing an accountable, campus-wide administrative authority chartered to address the University's strategic security/risk management and compliance requirements.

Objective:

The central objective of the Privacy Assurance and Systems Security (PASS) Council is to reduce the vulnerabilities and related risks associated with the University's complex information technology environment. The PASS Council is a central administrative authority, which provides oversight regarding planning, direction and policy for security and assurance of the UW information systems, networks and the information that resides on them. The PASS Council performs the following services:

• Oversee the development, implementation and maintenance of a University-wide Strategic Information Systems Security and Assurance Plan (including security awareness programs, defined incident response processes, access control mechanisms, and defined organizational roles and responsibilities).
• Oversee the development, implementation and enforcement of University-wide Information Systems Security Policy and related recommended operating and technical standards.
• Advise the University Administration on related risk issues and recommend appropriate actions in support of the University's larger risk management programs.
• Ensure related compliance requirements are addressed (e.g. privacy, security and administrative regulations associated with HIPAA and other Federal and State rules).
• Ensure appropriate risk mitigation and control processes over security incidents as required.

The PASS Council works with administrative and technical staff at the UW to achieve broader recognition of the risk inherent in having network- connected computers that are not securely maintained, and to understand the need for having and adhering to policy, guidelines, and standards for installing and maintaining secure systems on the UW network.

Measuring the cost verses the risk, as well as the need for access to information, the PASS Council establishes working groups to design processes and requirements for the maintenance of network-connected computers.

Members:

The PASS Council's membership consists of the following University officials:

• Chief Information Security Officer, University of Washington
• Chief of Police, University Police Department
• Chief Information Officer, Information Technology Services, UW Medicine
• Associate Vice President, UW Technology
• Executive Director, Internal Audit
• Director, Health Sciences/UW Medicine News and Community Relations
• Assistant Vice President, Human Resources Administration and Information Systems
• Executive Director, Risk Management
• Laboratory Director, Computer Science and Engineering
• Executive Director, Health Sciences Administration
• Director, Security and Networking, Information Technology Services, UW Medicine
• HIPAA Compliance Officer, UW Medicine Compliance
• Facility Security Officer, University of Washington
• Director, Mobile Communication Strategies, Network Systems, UW Technology
• Associate Vice Provost, Enterprise Information Services, Office of Information Management
• Director, Research Information Services, Office of Research

Advisors:

The PASS Council advisors include:

• Assistant Attorney General, University of Washington Division, Attorney General's Office

Scope:

In this emerging era of e-government, e-medicine, e-business e-learning, etc. it is crucial that the University responsibly protect and ensure the integrity of its systems, information resources and the business, heath care, student, research and academic information, as well as the personal and other confidential data with which we are entrusted. Additionally the UW is as a matter of statute, policy and code required to demonstrate and maintain compliance with State of Washington security and trust fabric standards, as well as a number of continuing and new federal standards and regulations. The interwoven nature of the University as well as academic Medical Center communities, the intrinsically interconnected realm of the Internet, and the complex interrelationships of systems transactions, and the creation, access to and use information of across the institution, requires that we establish and sustain a proactive and effective university-wide approach to systems security and integrity issues and threats.

The main focus of the group will be on strategic planning, policy and guidelines, best practices, security awareness training and education, and procedures related to the operations and maintenance of the over 65,000 computers directly connected to the UW network. Support for these computers ranges from excellent to nonexistent. Knowledge about, and sensitivity to security and integrity issues varies substantially. Here the council's main concern is dealing with the computers that have vulnerabilities that leave them, and hence other UW systems open to misdeeds such as spamming, denial of service attacks and depositing illegal material as well as the even more serious threats of password sniffing and cracking.

The UW also has a related deep concern for ensuring the privacy, accuracy and protection of data maintained on departmental and individually controlled computers and PDA's. A major effort is required to enhance the university-wide mechanisms to identify problems and exposures, and/or to enable and ensure accountability by those people and departments who own, operate, use, or maintain UW's computers and networks.

Constraints:

Most of the computers on the campus network are not owned or managed by a central authority.

There are initial and on-going costs to making and keeping the university computers as secure as they need to be.

Assumptions:

People and departments owning and maintaining computers on the UW network, for the most part, want to secure their systems once they are made aware of the vulnerabilities.

Resources:

To accomplish this, the council needs:

• Public endorsement from UW upper administration
• Contribution from technical and administrative people to help develop the policies and guidelines
• Contribution from technical and administrative people to help develop the policies and guidelines
• Departments' willingness to allocate resources to establish and maintain this effort

Deliverables:

At a minimum, find the resources to produce:

• A University-wide Strategic Information Systems Security and Assurance Plan. (approved 3/15/02)
• A University-wide Information Systems Security Policy
• Policy enforcement mechanisms and practices
• Recommended operating and technical standards for system protection
• A university-wide incident response program that fully supports the university's broader risk management program
• A University of Washington security awareness program
• Key support services for University-wide compliance requirements

User Input:

Campus-wide input into policy creation and security practice is actively sought from UW system administrators, departmental administrators, technical advisory committees, faculty, staff, and students.

The PASS Council
Modified: April 17, 2008