Skip to body

Resources and Reports

CWUP 2-70-050 Information Security Controls

(1) Policy

Central Washington University (University) shall implement and maintain procedural, physical, technical, and regulatory safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of institutional information that it creates, receives, maintains, or transmits.

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27001:2013 information security standard shall be used as a guideline and all implemented security controls will be commensurate with asset value, aligned with the appropriate compliance requirements, and as determined by an internal risk assessment process.

In accordance with ISO/IEC 27001:2013, the following information security control domains are therefore implemented:

• Information Security Policies
• Organization of Information Security
• Human Resource Security
• Asset Management
• Access Control
• Cryptography
• Physical and Environmental Security
• Operations Security
• Communications Security
• System acquisition, Development and Maintenance
• Supplier Relationships
• Information Security Incident Management
• Business Continuity Management
• Compliance

The specific information security controls associated with each security domain listed above, are detailed in the information security procedure that accompanies this policy. 

(2) Scope

This policy is applicable to all information systems, networks, staff, faculty, students, student employees, and outside contractors that are affiliated or conduct work on behalf of the university. The policy also applies to any information that is created, used, and disseminated on behalf of the university in accordance with CWUP 2-70-020 Data Classification and Usage Policy.

(3) Responsibilities

The chief information security officer is overall responsible for the development and enforcement of the enterprise-wide information security program. It is understood that certain security controls, as appropriate, will be implemented by other functional areas in compliance with this policy.

(4) Risk Assessment

Resources employed in implementing security controls need to be balanced against the institutional harm likely to result from security issues in the absence of those controls. The results of a risk assessment will help guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks.
It is understood that follow-on risk assessments may identify changes in the University’s risk appetite, thereby driving a change in the implemented security controls to ensure the identified risks are appropriately mitigated.

(5) Internal Audit

The Security Services department shall plan, establish, implement and maintain an audit program, including the frequency, methods, planning requirements, and reporting associated with the program.

(6) Policy Maintenance

The chief information security officer shall review and recommend changes to this policy statement at least annually or more frequently as needed to respond to changes within the institution and the regulatory environment.

(7) Implementation

Failure by an individual to comply with the university policies on information security and privacy may result in disciplinary action up to and including termination for University employees, contract termination in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student.

The university reserves the right to pursue appropriate legal actions to recover any financial losses suffered as the result of a violation of the University policies on information security and privacy.

(8) Additional Information

For additional resources, further information on this policy statement, or for a definition of any term used in this policy document, please see the Security Services website.

[Responsibility: VP of Operations; Authority: Cabinet/PAC; Reviewed/Endorsed by: Cabinet/PAC; Review/Effective Date:06/04/2014; Approved by: James L. Gaudino, President]

Take the Next Step to Becoming a Wildcat.