Skip Navigation
 Search | Directories | Reference Tools
UW Home > UWIN > Computing and Networking > Security > PASS Council 

UW Information Systems Security Policy Development, Revision, and Exemption Processes

Approved April 2002
Revised and Approved April 2004
Currently in PASS Council Review

Prepared for:
The Privacy Assurance and Systems Security Council

Prepared by:
Kirk Bailey, CISSP
Manager of Strategic Computer Security Services
Computing & Communications
University of Washington

Table of Contents

Process Principles

University of Washington senior administrators are responsible for policies associated with the University's operation, management, and use of its facilities and services. This responsibility for policy promulgation and enforcement practices requires careful consideration of many factors as well as support from diverse subject matter experts.

The processes of developing, approving, implementing, and enforcing policies for information technology deployment, use, and security practices are challenging and never can be democratic. They must be practical, pragmatic, and based on requirements found in compliance, risk management, operational, and financial objectives. Individuals who are accountable and knowledgeable about technology, the defined risk positions, enforcement capabilities and practices, compliance responsibilities, and financial and business objectives of the University must drive policy formulation in this area.

The policies created by these processes and all the related management and enforcement practices must be endorsed and fully supported by the University's senior administrators in order for them to be effective. The specific processes outlined below are based on these principles.

Policy Development Process

The development process for information systems security policy is managed by the University's Privacy Assurance and Systems Security Council (PASS Council). (See PASS Council Charter.) When developing specific policy, the PASS Council invites the participation of subject matter experts, when appropriate, to ensure the best possible results.

The language and production of UW information systems security policies is the responsibility of the PASS Council. Drafting of policies may be delegated to subject matter experts and technical writers. The PASS Council is accountable for overseeing and directing the process and ensuring the documents are completed in a timely fashion.

When a proposed new policy or revision is being developed, feedback and recommendations for consideration are solicited from appropriate members of the UW community, including faculty, students, staff, system and network administrators, help desk staff, outside consultants, and others.

The PASS Council must reach a consensus agreement on the proposed policy in order to take it forward for formal approval.

Policy Approval Process

When the PASS Council has prepared and agreed on a final policy proposal, it submits the draft to the University Technology Advisory Committee (U-TAC) for review and a recommendation of approval.

If the U-TAC has any questions or requests changes to the policy proposal, the PASS Council responds accordingly to resolve all issues.

Once the U-TAC has endorsed the policy, it is forwarded to the UW president with a request for approval, when appropriate.

When the policy is approved, it is published and posted for the University community in a standard format.

Policy Review Process

The PASS Council must perform an annual review of the UW information systems security policies. At other times during the year, technology and security changes, revision of other university policies and practices, or a formal request for modification may trigger a review.

Policy Revision Process

In the event that a policy statement is perceived to need revision or revocation, a formal request for policy modification must be brought to the PASS Council. Formal requests must be endorsed and sponsored by at least one department head, dean, or senior official of the same or higher status within the University. The request should be formally documented and submitted to a member of the PASS Council for consideration.

The PASS Council handles all policy revision requests in the same manner as policy development. A review process is invoked if the PASS Council determines that the formal request has merit. The PASS Council is not obligated to hear directly from the requesting parties, but it can if it is deemed appropriate.

In the event that the PASS Council refuses to review a formal request or denies the requested action after the review, the requesting parties can request an appeal of the PASS Council decision. If an appeal is requested, the PASS Council forwards all relevant documentation and comments to the U-TAC for its consideration.

If an appeal is requested and the U-TAC reverses the original decision of the PASS Council by choosing to ask the PASS Council to consider the request or to approve the request action after the review, then the Pass Council and the U-TAC must follow the procedures outlined in this document to review and approve new policy.

Policy Exemption Process

In the event that unusual circumstances create a viable reason for a department to request an exemption to policy, an official waiver must be obtained. Such a waiver of policy must be formally submitted to the PASS Council. A formal waiver is considered only if it is fully documented, endorsed, and sponsored by at least one senior University official.

Depending on the nature, extent, and potential risks of the waiver, the PASS Council has the authority to approve such requests. It is the responsibility of the PASS council to determine if the exemption requires the approval of the U-TAC.

If the PASS Council approves an exemption waiver to policy, it acknowledges it in a formal letter to the requesting parties, delineating the potential risk the requesting department is assuming. The PASS Council also notifies the members of the U-TAC of all approved waivers.

In the event that the PASS Council wishes to approve a policy waiver that is associated with significant risk, the PASS Council may choose to obtain the formal approval of the U-TAC before the waiver can take effect.