UW Strategic Plan for Information Systems Security and Privacy Assurance

Prepared For:
The Privacy Assurance and Systems Security Council

Prepared By:
Kirk C. Bailey, CISSP
Manager of Strategic Computer Security Services
University Computing Services
University of Washington
Approved 3/15/02
Last Revision 5/27/03

Table of Contents

• Section 1. Purpose
• Section 2. Authorities and Sources
• Section 3. Challenges to Strategic Planning
• Section 4. Applicability and Scope
• Section 5. Security and Assurance Components
  1. Organizational Controls and Resources
  2. Information Systems Security Policy and Associated Guidelines
  3. Security Awareness Training and Education
  4. Threat Assessment and Risk Management
  5. Security Incident Response and Reporting
  6. Anti-Virus Measures
  7. Physical Security Policy
  8. Business Continuity and Disaster Recovery
  9. Data and Systems Access Controls
  10. Network and System Review Services
  11. Chain of Trust Agreements for Information Exchange
  12. Fair Information Disclosure Practices
  13. Audit Services
• Section 6. Plan Review and Revisions

Section 1. Purpose

This plan defines a comprehensive program to secure and protect the University of Washington's electronic information systems and data assets. The plan provides a framework of operational "best practices" that support all necessary components of information systems security required for the university to meet its compliance obligations to both federal and state regulations. Beyond mandatory compliance requirements, this plan is designed to support the university's own high standards and commitment to the preservation and protection of privacy, intellectual property, and quality technology-related services for all students, faculty, staff and citizens who become involved with the institution.

Section 2. Authorities and Sources

The University of Washington's extensive information systems resources and services are managed and operated in a challenging and complex academic, research, and business environment. As part of the university's effort to provide reliable technology services it is required to comply with a broad range of federal and state laws and regulations. Included among these are numerous specific rules and regulations related to information systems management, security, privacy protections, ethics and crime. In addition to its compliance obligations, there are industry best practices and formalized technical standards that are useful to help shape the university's technology environment. All of these authorities and sources have been considered in the preparation of this strategic plan.

Section 3. Challenges to Strategic Planning

The university is a very large and complex place. Developing and implementing a successful strategic plan to properly protect its vast information systems resources and associated data involves an enormous set of challenges. They include:

• Significant resource, personnel, and related budget issues
• Governance issues
• Challenges of a dynamic and often problematic regulatory environment
• The sheer volume of computer systems involved and the separate services that they are designed to provide
• The volume of data involved
• Numerous, different operating system types and customized configurations
• Vulnerabilities with emerging computer and network technologies that cannot be easily resolved
• A constant, rapidly expanding spectrum of threats to computing systems and networks
• The size and diversity of the campus workforce and student population
• Communication issues

This strategic plan takes into account the realities of what is involved. It assumes that if the university intends to reduce the incidents of intrusions, misuse of its computing resources, and inappropriate access to data, resources will have to be allocated. The reality is that there are many departments and units within the university that currently do not have budgeted resources specifically for security. This problem is compounded by the fact that, even with financial resources, finding the necessary expertise to support security efforts is difficult. Elements of this plan are defined in response to these realities.

This plan includes several immediate affordable steps as well as important long-term strategies to help grow a stronger awareness of and emphasis on security and privacy protection. In addition, the plan is designed around a risk management approach that includes documenting the cost of prevention verses the costs of potential incidences.

Section 4. Applicability and Scope

This Strategic Plan is applicable to all of the University of Washington.

The scope of this plan is limited to defining the information security controls, assigned responsibilities, functional components, and security services and systems necessary for the University of Washington to meet its technology-related obligations and goals.

Section 5. Security and Assurance Plan Components

A. Organizational Controls and Resources

The university must ensure that an appropriate organizational structure exists to provide oversight and governance for security services, related planning, and associated risk management practices. This formal organizational component must be sponsored and supported by the university administration to give it the authority it needs to succeed and to meet the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other requirements. The Privacy Assurance and Systems Security Council (PASS Council) was chartered by the Offices of the Provost, Executive Vice President, the Vice President for Computing and Communications, and the Vice President for Medical Affairs and Dean of Medicine as the official oversight organization for the university.

Typically, organizational structure includes the assignment of a "Chief Information Security Officer." While it makes sense for most private sector businesses and some government organizations to establish such a position, the responsibilities can be distributed and shared. The PASS Council structure will work so long as:

• The council is supported by the university administration
• Council membership is composed of accountable individuals in management-level positions
• The membership represents appropriate administrative areas (e.g. legal, auditing, public relations, general administration, risk management, IT security, and university police)
• The members are experienced decision makers regarding risk management issues

The PASS Council's oversight responsibilities include:

• Developing, publishing, and maintaining comprehensive university-wide IS privacy and security plans, policy, procedures, and guidelines.
• Acting as ombudsman for disputes, requests for exceptions, and complaints regarding university-wide information systems security practices and related issues.
• Acting as the primary control point during serious security incidents.
• Providing the university Administration recommendations as required regarding risk management issues related to information systems technology.

The PASS Council must ensure validity and appropriateness of all of its published policies, programs, and best practices by establishing a formal review process of all proposed material by certified security and audit professionals and representatives of the user community as required.

In general, finding enough organizational resources to properly support security functions will always be problematic. This is especially true within a university environment. This challenge should be carefully considered in all efforts and actions taken by the PASS Council. Wherever possible, the PASS Council should use it's designated responsibilities to promote and support the allocation of staff resources and budget to support security efforts. In addition, the PASS Council should use its considerable expertise and strategic perspectives to prioritize specific projects and efforts to ensure the best use of resources.

B. Information Systems Security Policy and Associated Guidelines

The university must have in place appropriate policies and best practice guidelines to ensure a safe, compliant, and properly risk managed computing and network environment. Beyond formal policy, specific guidelines and recommended procedures for the university community shall be published to help address a broad range of administrative concerns including but not limited to:

• Information access controls including specifics regarding appropriate access authorization to systems and data
• The receipt, storage, processing, and distribution of sensitive information
• Security reviews and testing of hardware and software installations, and maintenance of existing systems
• Information retention for all types of stored information (electronic, film, and paper) based on retention requirements mandated by regulatory authorities and best business practices
• University provided access and use of the Internet
• Access and use of university email systems
• Security guidelines and safe computing tips for all university systems users
• General data protection practices such as security violation reporting, sanctions for violations, data backup and or electronic media control measures
• Telecommuting and remote access services and use

Telecommuting and remote access services and useThe primary, over-arching, information security policy principle is the university's commitment to comply with all state and federal regulations, operational best practices, and its own high standards, and ethical conduct to best protect information systems and assets. All specific policies that are developed will adhere to this fundamental compliance principle.

C. Security Awareness Training and Education

A university-wide Security and Privacy Awareness Training and Education Program must be developed and implemented based on current resources that are available. This kind of education and training is the most cost-effective security measure that an organization can adopt.

The program must be flexible in content, message, and design to accommodate multiple targeted audiences: university administration officials, deans, chairs, department heads, system and network administrators, faculty, and students. The content and information that is delivered must support the strategic message that everyone is responsible to do their part to protect the university's information systems and data. Sensitive information, the university's reputation, availability of computing services, legal liabilities, intellectual property, and individuals' right to privacy are at stake.

The program's content and structure will be the responsibility of the PASS Council. C&C's Manager for Strategic Computer Security Services will be responsible to drive this effort for the PASS Council. Modest resources and expertise contributed by a coalition of university departments and groups can support content suggestions and program implementation. Initially the program should rely on as many existing communication tools, information sharing venues, publications, university websites, and campus publications that make sense to leverage. For the long term, the program should strive to become more institutionalized and permanently funded.

D. Threat Assessment and Risk Management

The university will establish threat assessment and risk management methodologies related to its information systems and data protection objectives. This is an important component of this strategic plan. The university's ability to identify risks, determine their relevant magnitude, and quantify the cost and effectiveness of mitigating safeguards is difficult to achieve. In an environment such as the university, this will be an important practice. Besides liability issues, understanding the potential risks and costs associated with the potential loss or theft of important research information will be a powerful factor for promoting security programs.

The PASS Council will help coordinate and provide oversight and direction for these efforts specific to technology related issues. Choices regarding the potential use of automated risk analysis tools, establishing priorities for risk mitigation, and whether or not to measure risk with qualitative or quantitative methodologies shall be determined by the PASS Council. In addition, The PASS Council will coordinate all reporting on risk management recommendations related to technology.

E. Security Incident Response and Reporting

The university must establish and maintain a formal security incident response capability. This is mandated by federal compliance requirements (e.g. HIPAA) and it is needed to determine the extent of damage an incident may have inflicted. Properly prescribed response measures can provide mitigation of harm, quick remediation, and opportunities to improve information security controls for the university and possibly others who could be affected by an incident. The PASS Council will provide support for the development, publishing, and maintenance of a formal university-wide information systems security incident response plan. Security managers for C&C and UW Medicine will coordinate this program effort for the PASS Council.

The formal plan must ensure appropriate reactive measures for suspected system compromises or misuse. There are several existing models for such a plan operating in the field. Professional security organizations also publish guides. The university's plan should look to these examples and follow industry standards and best practices in the formulation of its formal plan.

The university currently has limited response resources to deal with an ever-growing number of incidents. As a result, the formal plan needs to accommodate difficult decision-making processes. This requires two critical plan components that must be carefully defined:

• A formal escalation process that allows for serious and/or high profile incidents to include PASS Council as primary point of contact along with designated senior university officials.
• A clear incident evaluation criteria that allows for appropriate resource allocation.

As part of its responsibilities, the PASS Council shall provide centralized coordination services and support for response activities and reporting regarding serious incidents. The senior university official who is ultimately accountable for the incident will have the option to directed the PASS Council's involvement.

To properly support its incident response program, the university should establish formal investigation and computer forensic capabilities. These are proving to be critical "in- house" services for a rapidly growing list of organizations. These capabilities are essential for the university so that it has the means of determining the facts of a security breach.

Training for investigative skills and electronic evidence discovery needs to be supported and funded. A formal, permanent computer forensic lab should be funded and established. Currently, these services are provided to the university by ad hoc efforts that need to be formalized and certified. Security managers for C&C and UW Medicine should coordinate this program effort for the PASS Council.

F. Anti-Virus Measures

The threat of computer viruses is well documented and understood. Everyone is vulnerable even with the latest virus protection software installed, updated and operational. The university, like every other organization, must work constantly to protect itself and continue to allocate resources to respond to virus incidents.

The university and all of its various departments need to work towards uniform, multi- layered, technical protection measures. In addition, user education continues to be a very important part of "successful" anti-virus programs found in the field. The PASS Council should support, whenever and however possible, all technical and educational efforts. It should include in its security and privacy awareness training and education program information and recommendations concerning anti-virus tools, user guidelines and potential resources. Appropriate anti-virus measures shall also be included in information systems and network security policy and associated guidelines.

G. Physical Security Policy

The university must ensure that appropriate physical security requirements are identified and support the implementation of these measures to help protect critical information systems and assets. As part of this effort the PASS Council will provide support for the development of university-wide Physical Security Policy and include it in information systems and network security policy and associated guidelines.

The published policy will define guidelines, procedures and tools that provide for the proper disposal of computing devices, paper, fiche, and film documents.

As part of these specific efforts, the PASS Council will ensure that education about the physical security policy will be included in the security and privacy awareness training and education program.

H. Business Continuity and Disaster Recovery

The university has established and continues to build a viable disaster recovery program for the protection and recoverability of critical systems, network services, applications and related data. This program also includes business resumption planning for the various departments and work units of the university. These programs must also include, within their defined recovery processes, specific measures and best practices to help maintain compliance with the various statutory and regulatory requirements related to protection of confidential information.

The PASS Council will ensure that all necessary measures are documented in the information systems and network security policy and associated guidelines.

I. Data and Systems Access Controls

Specific to information systems that maintain sensitive information, the university must ensure information systems access controls that provide for the assurance that only persons with a need can access specific information. This means that appropriate access is given only to that information an individual requires in order to perform their job. Types of access controls can include mandatory access control, discretionary access control, time-of-day, classification, and subject-object separation.

The PASS Council will ensure that all necessary measures are documented in information systems security policy and associated guidelines.

J. Network and Systems Security Review Services

The university must develop and implement an appropriate security review and reporting service to assist operators of computing systems attached to the university's networks. This is a technical evaluation that can identify the extent of potential vulnerabilities specific to an individual system. The review process can be either automated (e.g. network scanning) or manual. Properly implemented these review processes can provide valuable reports for both the operators of the systems in the various departments and the security and network professionals responsible for maintaining university computing and network services.

The PASS Council will provide the oversight and approval for any such review services. All review activities must be conducted by trained technical professionals and will require an approved plan before being conducted.

The PASS Council will ensure that all related information is documented systems security policy and associated guidelines.

K. Chain of Trust Agreements for Information Exchange

The university must establish "Chain of Trust" contractual agreements with all business partners, and other entities as required by federal regulation. "Chain of Trust Partner Agreements" are defined as follows in the Security and Electronic Signature Standards (45 CFR Part 142):

"(It is a) contract entered into by two business partners in which it is agreed to exchange data that the first party will transmit information to the second party, where the data transmitted is agreed to be protected between the partners. The sender and receiver depend upon each other to maintain the integrity and confidentiality of the transmitted information. Multiple such two-party contracts may be involved in moving the information from the originator to the ultimate recipient, for example, a provider (doctor) may contract with a clearing house to transmit claims to the clearing house, in turn, the clearing house may contract with another clearing house or with a payer (insurance company) for the further transmittal of those same claims."

The PASS council should include in its UW Information Systems Security Policy and associated guidelines university approved processes for establishing such agreements and criteria for evaluating where such agreements might be required. The PASS Council will also ensure that appropriate information about this obligation is included in its security and privacy awareness training and education program.

L. Fair Information Disclosure Practices

The university is required to adhere to strict information disclosure rules that are established by legislation, regulation, and internal policy. All rules, standards, procedures, guidelines, and best practices established by the university regarding the disclosure of confidential information will be supported with appropriate information security technology services.

The PASS council should include in its UW Information Systems Security Policy and associated guidelines documentation that define the information systems security measures and procedures that are required. The PASS Council will also ensure that appropriate information about this obligation is included in its security and privacy awareness training and education program.

M. Audit Services

Internal Auditing processes are key oversight functions that help ensure the overall effectiveness of information security planned strategies. The university must establish and maintain appropriate programs specific to this UW Strategic Plan for Information Systems Security and Privacy Assurance. This service will assist the PASS Council in measuring the effectiveness and applicability of the plan components. It will also provide documentation that validates the university's efforts to meet its compliance and best practice responsibilities.

Section 6. Plan Review and Revisions

This Strategic Plan for Information Systems Security and Privacy Assurance is a dynamic and "living" document. It will require changes as technology, regulatory requirements, and the university itself changes. To ensure the effectiveness and relevance of this plan, it will be required of the PASS Council to periodically review and revise it as necessary. Plan revisions are not limited to this periodic review process. Revisions can and should be made whenever changes are required. All revisions of the plan must be formally presented to the PASS Council for its review and approval.

The PASS Council
Modified: January 5, 2007