Office of the Chief Information Security Officer

Information Security Program

The UW’s Information Security Program is comprised of the following information security elements. The below figure illustrates the relationship of strategic, tactical, and operational areas. The strategic and tactical areas are the responsibility of the Office of the Chief Information Security Officer (CISO), executive management, and the Privacy Assurance and Systems Security Council (PASS Council).

The operational area is part of the distributed security program and the elements are directly managed by the individual departments within the UW based on the plan and institutional wide policies. Occasionally, there are institutional objectives within the operational area that the Office of the CISO will direct.

Information Security and Privacy Program pyramid

Information Security Elements

Careful consideration was given to the development of the information security elements that help protect the UW and adapt to new threats and vulnerabilities. These defined elements are as follows:

  • Organization & Authority – Focuses on the roles and responsibilities for providing the required it leadership, objectives, and resources for the development and enforcement of appropriate governance programs.
  • Policy – Focuses on establishing appropriate policy oversight, IT security polices, and supporting IT security efforts to set required standards, guidance, and enforcement to meet compliance and risk requirements.
  • Audit & Compliance – Focuses on compliance and security audits within the organization to provide management and regulators with assurance that controls are adequately designed and operating effectively to meet compliance and risk management requirements for information security.
  • Risk Management & Intelligence – Focuses on proactively identifying new threats, vulnerabilities, and risks through key strategic alliances, innovative information gathering, and information sharing practices. Also focuses on going risk assessments, identification of risk tolerance levels, and implementation of associated risk control programs.
  • Privacy – Focuses on information privacy compliance requirements and protection within the UW business framework and institutional policy.
  • Incident Management – Focuses on response and resolution of information security incidents to minimize the business impact and risk of further incidents as well as meet all legal and contractual requirements.
  • Education & Awareness – Focuses on the planning, procedures, documentation, and implementation of security awareness and related training for employees, service providers, students, faculty, and other users of UW computing resources.
  • Operational Management – Focuses on appropriate security controls and operational practices for UW networks, computer systems, applications, and data throughout the UW.
  • Technical Security & Access Control – Focuses on the controls that restrict access in compliance with UW Information Systems Security Policy and operating principles (Access of Least Privilege and Separation of Duties).
  • Monitoring, Measurement, & Reporting – Focuses on the controls that define the event information that will be logged and monitored, adequate analysis of the information, and the alert levels that will be triggered for incident response.
  • Physical & Environmental Security – Focuses on physical protections of data center, physical assets, and data from theft, damage, or loss.
  • Asset Identification & Classification – Focuses on planning and operational procedures related to inventory, accountability, responsibility, classification, and implementation of associated controls.
  • Account Management & Outsourcing – Focuses on the policy and procedures governing the hiring, transfer, termination, and clearance processes for employees, contractors, and vendors.