University of Washington Policy Directory

Print This Page
*Formerly part of the University Handbook
Administrative Policy Statement

Information Security Controls and Operational Practices

(Approved by the Vice President for UW Information Technology and Chief Information Officer by authority of Executive Order No. 63)

1.  Purpose

University of Washington (University) shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of institutional information that it creates, receives, maintains, or transmits.

This policy describes the information security controls used by the University to protect its institutional information, information systems, computerized devices, or infrastructure technology. The underlying principles of this policy are to achieve the ideal of access of least privilege and separation of duties for the creation, use, and dissemination of information. The following controls will be implemented based on the approved information security standards and will be commensurate with asset value and risk as determined by the Executive Heads of Major University Organizations.

2.  Scope

This policy is applicable to all the University.

3.  Security Plan

The Executive Heads of Major University Organizations are responsible for the risks associated with their assets. They must document and implement an Information Security Plan (Plan) that demonstrates due care in securing their assets by meeting the intention of the controls in this policy statement. The Plan must address each of the requirements in this policy statement and include the following:

  • Delegate Plan responsibilities to the appropriate people (e.g., system owners, system operators)

  • Include a Plan implementation timeline and milestones

  • Describe the organization's approach to implementing the Plan (e.g., by department, by functional area, or by asset type)

  • Document critical assets and the controls that are implemented for each of them

  • Describe alternate or compensating controls and the rationale for selecting them.

For Plan templates and information security guidelines related to this policy statement, see the Office of the University Chief Information Security Officer website.

4.  General Operational Controls

General operational controls include the appropriate security controls and operational practices for the University's networks, information systems, applications, and information throughout the institution. These controls must be defined, implemented, maintained, and include the following:

  • A change and configuration management process

  • A flaw remediation process

  • A malicious code and unauthorized software countermeasure process

  • A data protection and destruction process

  • Secure development practices

  • Backup and recovery processes for critical information and software

  • A business continuity and disaster recovery plan

  • Information security technical architecture standards

  • System build and maintenance standards

  • Acceptable use standards.

5.  Technical Security and Access Controls

Technical security and access controls restrict access to institutional information and systems in accordance with the University's information security and privacy policies and standards. These controls must be defined, implemented, maintained, and include the following:

  • Remote access process

  • Cryptographic controls for protecting data

  • An access authorization process for all users and information systems

  • An authentication mechanism for all authorized users and information systems

  • Network, system, and application level protection measures.

6.  Monitoring Controls

Monitoring controls define the event information that will be logged and monitored, and alert levels that will be triggered for incident response. These controls must be defined, implemented, maintained, and include the following:

  • A baseline measurement process for application, system, and network activity

  • A monitoring capability for critical systems

  • An intrusion detection mechanism

  • Logging processes for networks, systems, and applications.

7.  Physical Controls

Physical controls define the protection required for the data center, physical assets, critical information systems, and institutional information. These controls must be defined, implemented, maintained, and include the following:

  • Physical protection and access processes for buildings that house critical information technology and systems

  • A physical protection process for critical information systems and institutional information.

8.  Asset Identification Controls

Asset identification controls include the planning and operational procedures related to asset inventory, accountability, responsibility, and information classification. These controls must be defined, implemented, and maintained to identify, inventory, assign ownership, and classify institutional information and information systems using the following information classification scheme:

9.  Account and Identity Management Controls

Account and identity management controls govern the hiring, termination, and background checking procedures for the University's workforce members. They also focus on identity and account management for all accounts such as employee, non-employee, system, or service accounts. These controls must be defined, implemented, maintained, and include the following:

  • An identity and eligibility verification and registration process

  • A user and system account life cycle management process.

10.  Policy Maintenance

The University Chief Information Security Officer shall review and approve this policy statement at least every three years or more frequently as needed to respond to changes in the regulatory environment, prior to being sent for final approval by those who have been delegated executive authority. The University Chief Information Security Officer shall manage the review process.

11.  Additional Information

For additional resources or further information on this policy statement, see the Office of the University Chief Information Security Officer website, or contact the office as follows:

  • Phone: 206-685-0116
  • Campus mail: Box 352820
  • Email:

June 20, 2012; October 28, 2013.