System Owners and Operators

generic computer image

UW Medicine requires that any networked device (computers, printers, Xerox machines, etc.) must have a person assigned as a System Owner and System Operator (SO/SO). These individuals are legally liable for the device in the eyes of the State of Washington and UW Medicine, and are responsible for the day to day operation, security, and use of the device. The same person can serve as both System Owner and System Operator.

The Department of Pediatrics Administration team offers to serve as SO/SO for all computers in the department. However, some individuals may wish to take on these liabilities and responsibilities for themselves. The Department Administration team has developed a process allowing these individuals to become their own SO/SOs. A short summary of the process has been included below.

System Owners: are usually the individuals with budgetary control over the system. This person should be able to authorize purchases of software and / or hardware required to meet policy requirements, and / or have the authority to decommission the system.

System Operators: are usually tech-minded people who are responsible for the day to day maintenance, repair, and setup of computers and network devices, and are responsible for implementation of any measure needed to meet UWMedicine Security policy.

Becoming a System Owner or System Operator:

A brief summary of the process has been provided below.

  1. Attend a ITServices SO/SO training class. Email: mcsos@u.washington.edu for the class schedule.
    Attendance lists will be recorded by UWMedicine, Security Infrastructure Team (SIT).
  2. Print out and sign a Departmental SO/SO Agreement and turn it in to the Pediatrics Operations Director or IT Manager.
  3. Complete an inventory and risk assessment for each device. This is available at: http://depts.washington.edu/pedinv/.
    The web site is password protected, so you will need to contact the Department Administration IT Group for access (pedcomp@u.washington.edu).
  4. Do some thinking about contingency plans and backup systems. Fill out the What If Document, and email a completed copy to the Department Administration IT Group (pedcomp@u.washington.edu).
  5. Fill out a UW Medicine Informal Compliance Review (ICR). Based on the risk assigned to your systems in #3, you will receive one of two tests. The minimum Security ICR is ten questions, and the Advanced Security ICR is 73 questions. Remember to record how you met each UW Medicine policy requirements in the comments section of each question.
    The ICR is documented and assessed by UWMedicine, Security Infrastructure Team (SIT).
    A guide is available for the Advanced ICR.
  6. If you have servers in your system (a server is any computer that offers a service or resource to others over a network), you need to pass a System Security Certification. These are very detailed and complex.
    System Certification is documented and assessed by UWMedicine, Security Infrastructure Team (SIT).
    If you would like assistance with this step, contact your Departmental Administration IT Group (pedcomp@u.washington.edu).

Any items that are not found to be adequate will need to be corrected. It's a good idea to review the UW Medicine Policies and State and Federal Laws and Regulations that apply.