UW Information Security Program


Purpose

The University of Washington is dedicated to protecting the confidentiality, integrity, and availability of its information assets through the efforts of an information security program. The program is led by the Office of Information Security (OIS), using a risk management approach and promoting a culture of shared responsibility to safeguard personal and institutional data.

This document provides a description of the University of Washington’s Information Security Program, as implemented by UW Information Technology (UW-IT) and the Office of Information Security (OIS).


Scope

The UW Information Security Program applies to all areas of the University of Washington, including all three campuses (Seattle, Bothell, and Tacoma), unless otherwise stated in UW Administrative Policy Statement 2.4, “Information Security and Privacy: Roles, Responsibilities, and Definitions.”


Program

The University’s Information Security Program is based on requirements established in UW Administrative Policy Statements (APS). These policy statements establish roles and responsibilities for information security, privacy, and data protection; incident reporting and management requirements; and information security controls and operational practices. For specific requirements and the full scope of each policy, see the individual Administrative Policy Statements linked below.


Risk Management

The University of Washington protects the confidentiality, integrity, and availability of its information assets while balancing the needs of teaching, learning, and research. It is not possible or feasible to protect every aspect of the University’s network while supporting the University’s mission of preserving, advancing and disseminating knowledge. The Office of Information Security provides information security strategy, vision, and coordination across the University. Executive heads of University organizations are responsible for the risks associated with their assets. Information security is everyone’s responsibility.

The Office of Information Security’s risk-based approach to cybersecurity supports the University by balancing risks and creating situational awareness about critical information assets and associated threats. We examine real conditions while remaining adaptable and nimble in our practices.


Risk Management Practices

  • Adopt a repeatable risk management framework for reporting and prioritizing work efforts.
  • Document and assess the value of critical data assets, technology services, people, business relationships, and partners.
  • Prioritize assets and related risk-mitigation efforts based on available resources.
  • Establish clear responsibility and communication plans for information security, including incident response.
  • Enable innovation and control contract risk with fair, clear, and practical terms and conditions that reduce liabilities related to asset loss or compromise.
  • Implement an intelligence program based on reliable sources for evolving threats, incidents, industry trends, adversary profiles, and related analysis.
  • Establish a network of trusted strategic partners and experts, including our campus Security Advocates.
  • Implement incident response and management capabilities.
  • Minimize the electronic attack surface and vulnerabilities for all critical assets.
  • Implement tools and procedures to respond to and defend against intrusions

Roles and Responsibilities

Administrative Policy Statement 2.4 establishes roles and responsibilities related to information security and privacy. The Associate Vice President for Information Security / University Chief Information Security Officer (CISO) is responsible for providing information security vision, strategy, and coordination across the University, including documenting information security program activities.

In accordance with APS 2.4, the Office of Information Security conducts institutional risk assessments related to University information security practices; creates and maintains information security related policies, standards, and guidelines; provides support for compliance with information security related laws, regulations, standards, and contractual requirements; manages information security incident investigations, including forensics analysis; and serves as the University’s liaison with law enforcement and other outside authorities who may need to be informed about an information security incident. More information about services offered by the Office of Information Security can be found on the Services page.


Incident Reporting

Administrative Policy Statement 2.5 establishes the University’s approach to events that impact the privacy of personal data and/or compromise the security of information systems and information technology. All potential or confirmed information security incidents must be promptly reported to the responsible office, and those offices must maintain and publish processes and procedures for handling incidents.

Incident reporting and management processes for information security events that adversely impact the confidentiality, integrity, or availability of University information, infrastructure technology, or information systems are available on the Office of Information Security’s website.

The Associate Vice President for Information Security and University Chief Information Security Officer coordinates with other delegated authorities on incident response and investigations.


Security Controls

Administrative Policy Statement 2.6 establishes information security controls and operational practices for the University. The executive heads of major University organizations are responsible for managing the risks associated with their assets. The executive heads must document and implement an information security plan that demonstrates due care in securing their information assets by meeting the intention of the controls in APS 2.6. More information about information security plans can be found on the Office of Information Security’s Security Plan page.


Training and Awareness

The Office of Information Security provides information security training and educational material to all UW staff, faculty, and students covering a wide variety of topics, including basic security, phishing, and malware. In addition to training videos, the Office also publishes Risk Advisories, Best Practices, and Infographics. Additional specialized training may be required by individual departments or units.

UW staff, faculty, and students receive annual communications regarding securing University data, phishing risks, and other information security best practices. These communications act as reminders regarding individuals’ responsibilities in protecting data and the UW network against attacks.

Additional information regarding training and awareness materials can be found in the Education section of the Office of Information Security’s webpage.

In addition to online training and awareness material, the Office of Information Security provides outreach services. These services include consulting, workshops, numerous events, and a Security Advocates Community of Practice.


Compliance Coordination

Numerous laws and regulations impose information security compliance requirements. The Office of Information Security provides support for compliance with information security related laws, regulations, standards, and contractual requirements at the UW and works in coordination with a number of UW offices and delegated authorities who provide compliance oversight.

For more information about support for information security related laws and regulations, contact the UW Office of Information Security.