CWUP 2-70

Information Technology Policies

• 2-70-010  Information Security and Privacy Roles and Responsibilities
• 2-70-020  Data Classification and Usage Policy
• 2-70-030  Information Security and Privacy Incident Management Policy
• 2-70-040  Payment Card Policy
• 2-70-050  Information Security Controls
• 2-70-060  Computer Access and Maintenance
• 2-70-070  Computer Equipment, Replacement, Purchasing, and Disposal
• 2-70-080  Identity Access Management Framework

CWUP 2-70-010 Information Security and Privacy Roles and Responsibilities

(1) Policy

The Chief Information Security Officer (CISO) oversees the university information security and privacy activities through the implementation of an information security program that supports the principles of confidentiality, integrity, and availability for University institutional information. The security program is implemented in support of and according to the Information Services and Security strategic plan and CWUP 2-70-050 Information Security and Privacy Controls.

(2) Roles and Responsibilities

Various positions across the university have responsibility for information security and privacy.

(A) Security, Privacy, and Data, Advisory Council

The Security, Privacy, and Data, Advisory Council (SPDAC) provides institutional advisory services for information security and privacy to the Chief Information Security Officer and broad strategic guidance to support the university-wide information security program. The council is led by the Chief Information Security Officer and the Director of Institutional Effectiveness and reports up to the Enterprise Information Services Committee. The membership of the council is composed of staff representing key areas of the University. The responsibilities of the council include, but are not limited to:

1. Advise, seek wide input, and recommend strategic direction to the Chief Information Security Officer on university-wide information security and privacy;

2. Review and recommend university-wide information security and privacy policies, standards, guidelines, and operating procedures related to institutional information in any form (e.g. electronic or paper);

3. Review and coordinate with the Chief Information Security Officer regarding privacy and compliance requirements related to information security and privacy laws and regulations that impart a duty upon the university;

4. Review institutional risk issues and provide appropriate recommendations in support of the university's larger risk management programs and objectives;

5. Serve as a point of contact for the Chief Information Security Officer as well as for the organizational area(s) for which they are responsible in matters related to information security and privacy; as well as

6. All additional responsibilities outlined in the SPDAC charter.

(B) Data Owners

Data owners are executive leadership team level employees, with overall responsibility for the business results or the business use of the data within their delegations of authority (e.g. the Chief Financial Officer, Provost, or Vice President of Operations). The responsibilities of the data owners include:

1. Overall responsibility and accountability for the data within their subject area domains; and

2. Recommend policies, standards and guidelines regarding information security and privacy, business definitions of information, and the access and usage of that information, within their delegations of authority.

(C) Appointing Authorities

Appointing Authorities are assistant vice presidents, associate provosts, deans, executive directors and other individuals with delegated authority for an organizational area as provided in CWUP 2-10-170 Appointing Authority and Delegation of Authority. These individuals, or their designee(s), have the following information security and privacy responsibilities:

1. As needed, develop, recommend, implement, and maintain policies, standards, or guidelines that are consistent with the university policies on information security and privacy, within the organizational area(s) for which they are responsible;

2. Be accountable for risks, compliance obligations, and financial costs associated with university information security and privacy, including information security and privacy incidents and information security breaches, within the organizational area(s) for which they are responsible; and

3. Follow the recommendations of the Chief Information Security Officer or designee, in connection with an information security and privacy incident investigation, and direct others to do so.

(D) Data Stewards

Data stewards are designated by and responsible to the appointing authority or designee (such as payroll, accounts payable, purchasing, or human resources business leads). Data stewards have knowledge of and work in accordance with numerous federal, state, and university rules and policies, including university policies on information security and privacy. The data steward role focuses on managing data content and the business logic behind all data transformations. The responsibilities of data stewards include:

1. Help define, interpret, implement, and enforce federal, state, and university policies, standards, and guidelines for institutional information within their purview;

2. Identify systems of record containing institutional information;

3. Categorize institutional information within systems of record as public, restricted, or confidential, as defined in CWUP 2-70-020 Data Classification and Usage policy;

4. Define usage and quality standards and guidelines for institutional information within their purview; and

5. Develop and implement formal and auditable data access processes for institutional data under their stewardship.

(E) Data Custodians

Data custodians report to the Chief Information Officer (CIO) or Director of Business Intelligence (BI), or their designee(s). The data custodians are responsible for the safe custody, transport, and storage of institutional data. The responsibilities of the data custodians include:

1. Support and manage the day-to-day confidentiality, integrity, and availability of the information systems for which they are responsible;

2. Document and disseminate administrative and operational procedures to ensure consistent storage, processing and transmission of data;

3. Determine user access and obtain approval(s), as delegated;

4. Make and be accountable for operational decisions about the use and management of an information systems in accordance with established business rules and policies; and

5. Maintain critical information system documentation.

(F) Data User

Data users are faculty, student employees, staff or third party vendors. Data users shall consult with and follow the applicable laws, regulations, and university rules, policies, standards and guidelines. Data users shall only access and use University information systems and institutional information to fulfill authorized job duties or activities for the university and in compliance with the Acceptable Use Policy CWUP 2-40-010.

Any agreements to provide a third party access to or use of institutional information shall ensure that such agreement is approved through the appropriate department.

(3) Policy Maintenance

The Chief Information Security Officer shall review and recommend changes to this policy statement at least annually or more frequently as needed to respond to changes within the institution and the regulatory environment.

(4) Implementation

Failure by an individual to comply with the university policies on information security and privacy may result in disciplinary action up to and including termination for university employees, contract termination in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student.

The university reserves the right to pursue appropriate legal actions to recover any financial losses suffered as the result of a violation of the university policies on information security and privacy.

[Responsibility: AVP of ISS; Authority: Cabinet/UPAC; Reviewed/Endorsed by: Cabinet/UPAC; Review/Effective Date: 6/4/2014; 02/03/2021; Approved by: A. James Wohlpart, President]

CWUP 2-70-020 Data Classification and Usage Policy

(1) Policy

Central Washington University (university) faculty, students, and staff require access to institutional data in support of the university's teaching, research, and outreach missions. The university's institutional data is a valuable asset and must be maintained and protected as such. The purpose of this policy is to help ensure the protection of the university's institutional data from accidental or intentional unauthorized access, damage, alteration, or disclosure while preserving the ability of authorized users to access and use institutional data for appropriate university purposes.

Institutional data is defined as all data created, collected, maintained, recorded or managed by the university, its staff, and agents working on its behalf. It includes data used for planning, managing, operating, controlling, or auditing university functions and data used for university reporting.

(2) Scope

This policy applies:

(A) To enterprise-level operational and administrative institutional data as well as data sets containing these data and systems that may access these data.

(B) Regardless of the environment, media, or device where the data resides or is used and regardless of how the data may be transmitted. It also applies regardless of the form the data may take or the data presentation format.

(C) to all extracts of covered institutional data, feeds of these data from enterprise systems, and data maintained within so-called shadow or secondary database systems whether derived from enterprise systems or collected or assembled directly by university units. Data in these systems must be classified and protected in the same manner as prescribed by the data steward, or designee, for similar data in primary enterprise systems.

(D) To all university community members, whether students, faculty, staff, or agents, who have access to University institutional data. In addition, to the extent possible, it applies to any person or organization, whether affiliated with the university or not, in possession of university institutional data.

(3) Policy Statements

(A) Data Regulatory Compliance

University employees working with or using institutional data in any manner must comply with all federal, state, and other applicable laws; all applicable university policies, procedures and standards; and all applicable contracts and licenses. For a complete list of privacy laws and regulations related to data classification and usage that impart a duty on the university, see the Security Services department website.

(B) Data Roles and Responsibilities

All university employees are responsible for ascertaining, understanding, and complying with all laws, rules, policies, standards, contracts and licenses applicable to their own and their subordinates' specific uses of institutional data.

(C) Data Classification

Data classification provides a basis for understanding and managing institutional data based on the level of criticality and required confidentiality of the data. Accurate classification provides the basis for an appropriate and cost-effective level of security and protection. The university's institutional data will be assigned one of three classifications:

1. Public: Data intended for broad distribution in support of the university's missions or freely available to any person or organization with no restrictions.
2. Restricted: Data that is circulated on a need-to-know basis or sensitive enough to warrant careful management and protection to safeguard its confidentiality, integrity, and availability, as well as appropriate access, use, and disclosure.
3. Confidential: Data protected or regulated by law or critical to university operations including sensitive personal information. Unauthorized disclosure of this information could seriously and adversely impact the university or the interests of individuals and organizations associated with the university.

Data stewards must implement a formal data classification process for institutional data under their stewardship. This process must assess the criticality and required confidentiality of data elements, as well as the risk of exposure or loss. For a detailed description of the data steward role and responsibilities, see CWUP 2-70-010 Information Security and Privacy Roles and Responsibilities. For examples of what constitutes public, restricted, and confidential data, please see the Security Services website.

(D) Reporting Responsibilities

Breaches, losses, or unauthorized exposures of restricted data must be immediately reported to the Chief Information Security Officer and handled in accordance with CWUP 2-70-030 Information Security and Privacy Incident Management Policy. University employees must also report actual or suspected criminal activity associated with any such incident to the University police department.

(E) Data Retention

The university's institutional data may often reside in university records, is often used to produce university records, and may itself be university records. University records must be managed in accordance with an approved records retention and disposition schedule.

(4) Policy Maintenance

The Chief Information Security Officer, in collaboration with all stakeholders, shall review and approve this policy statement at least annually or more frequently as needed to respond to changes within the institution and the regulatory environment.

(5) Implementation

Failure by an individual to comply with the university policy on data classification and usage may result in disciplinary action up to and including termination for university employees, contract termination in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student. In a perceived emergency situation, university staff may take immediate steps, including denial of access to the university network and institutional data as well as seizure and quarantine of university-owned data processing and storage assets, to ensure the integrity of university data and systems or protect the university from liability.

The university reserves the right to pursue appropriate legal actions to recover any financial losses suffered as the result of a violation of the university policy on data classification and usage.

[Responsibility: AVP of ISS; Authority: Cabinet/UPAC; Reviewed/Endorsed by: Cabinet/UPAC; Review/Effective Date: 06/04/2014, 02/03/2021; Approved by: A. James Wohlpart, President]

CWUP 2-70-030 Information Security and Privacy Incident Management Policy

(1) Scope

This policy applies to incidents involving institutional information in all forms (e.g. electronic or paper) and information systems either managed by the university or by a third party on behalf of the university and pursuant to a written agreement.

(2) Responsibilities

The Chief Information Security Officer, or designee, provides oversight and direction for all information security related incidents and may designate an incident manager, as the situation dictates and in accordance with this policy. In the event a crime has been committed, the Chief Information Security Officer will coordinate with the campus police department and/or other legal enforcement entities to determine responsibilities for the incident.

(3) Disclosure Limitations

Care shall be taken in handling evidence and information related to incidents in order to comply with federal or state laws that limit disclosure—e.g., Health Information Portability and Accountability Act (HIPAA) and Family Education Rights and Privacy Act (FERPA).

Documentation related to the incident may include information regarding the infrastructure and security of computer and telecommunications networks, security recovery plans, and security risk assessments; or, may include information for which disclosure is prohibited by federal law. As a result, incident-related information may be exempt from public disclosure and a list of the relevant regulatory reference is available on the Security Services website.

(4) Policy Maintenance

The Chief Information Security Officer shall review and recommend changes to this policy statement at least annually or more frequently as needed to respond to changes within the institution and the regulatory environment.

(5) Additional Information

For further information on this policy or to report an incident, please contact the Security Services department.

[5/04/2011; Responsibility: AVP of ISS; Authority: Cabinet/PAC; Reviewed/Endorsed by: Cabinet/PAC; Review/Effective Date: 6/4/2014; Approved by: A. James Wohlpart, President]

CWUP 2-70-040 Payment Card Policy

Reference: CWUR 7-70-050 Payment Card Procedures

(1) Policy

It is the policy of the University to allow acceptance of payment cards as a form of payment for goods and services upon written approval from the Director of Financial Services. The University requires all Merchants that accept payment cards to do so only in compliance with the Payment Card Industry Data Security Standard (PCI DSS) and in accordance with the requirements outlined in this policy document and accompanying procedure.

The PCI DSS is a mandated set of requirements agreed upon by the five major credit card companies. These security requirements apply to all transactions surrounding payment cards and the merchants/organizations that accept these cards as forms of payment.

This policy and CWUR 7-70-020 Payment Card Procedure provides the requirements for processing, transmission, storage and disposal of cardholder data. This is to reduce the institutional risk associated with the administration of credit card payments by university departments to ensure proper internal controls and compliance with the PCI DSS.

(2) Scope

This policy applies to all university entities involved in payment card processing as well as all other external or internal agencies that store, process or transmits cardholder data and/or sensitive authentication data on behalf of the University.

(3) Authority

In accordance with the provisions of the PCI DSS the university is required to implement technical and operational safeguards designed to protect cardholder data.

(4) Roles and Responsibilities

The director of financial services is the business owner and approving authority for all merchant accounts and financial transactions. The chief information security officer, in collaboration with all major stakeholders, is responsible for the development and enforcement of this policy.

(5) Policy Maintenance

The chief information security officer and the director of financial services shall review and recommend any changes to this policy statement at least annually or more frequently as needed to respond to changes in the regulatory environment and internal business practices.

(6) Implementation

Failure by an individual to comply with the university payment card policy or procedure may result in disciplinary action up to and including termination for University employees, contract termination in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student. Violations specific to the PCI DSS may result in:
• loss of the department or business unit's ability to accept credit cards as a form of payment; and
• fines of up to $500,000 per incident (as imposed by the payment card brand).
The University reserves the right to pursue appropriate legal actions as a result of a violation of the University payment card policy.

[Responsibility: AVP of ISS; Authority: Cabinet/PAC; Reviewed/Endorsed by: Cabinet/PAC; Review/Effective Date: 06/04/2014; Approved by: A. James Wohlpart, President]

CWUP 2-70-050 Information Security Controls

(1) Policy

Central Washington University (university) shall implement and maintain procedural, physical, technical, and regulatory safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of institutional information that it creates, receives, maintains, or transmits.

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27001:2013 information security standard , along with the National Institute of Standards and Technology (NIST) frameworks, will be used as a guideline of best practice, and all implemented security controls will be commensurate with asset value, aligned with the appropriate compliance requirements, and as determined by an internal risk assessment process.

In accordance with ISO/IEC 27001:2013 and NIST, the following information security control domains are therefore implemented:

(A) Information Security Policies

(B) Organization of Information Security

(C) Human Resource Security

(D) Asset Management

(E) Access Control

(F) Cryptography

(G) Physical and Environmental Security

(H) Operations Security

(I) Communications Security

(J) System acquisition, Development and Maintenance

(K) Supplier Relationships

(L) Information Security Incident Management

(M) Business Continuity Management

(N) Compliance

The specific information security controls associated with each security domain listed above, are detailed in the information security procedure that accompanies this policy.

(2) Scope

This policy is applicable to all information systems, networks, staff, faculty, students, student employees, and outside contractors that are affiliated or conduct work on behalf of the university. The policy also applies to any information that is created, used, and disseminated on behalf of the University in accordance with CWUP 2-70-020 Data Classification and Usage Policy.

(3) Responsibilities

The Chief Information Security Officer is overall responsible for the development and enforcement of the enterprise-wide information security program. It is understood that certain security controls, as appropriate, will be implemented by other functional areas in compliance with this policy.

(4) Risk Assessment

Resources employed in implementing security controls need to be balanced against the institutional harm likely to result from security issues in the absence of those controls. The results of a risk assessment will help guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks.

It is understood that follow-on risk assessments may identify changes in the university's risk appetite, thereby driving a change in the implemented security controls to ensure the identified risks are appropriately mitigated.

(5) Internal Audit

The Security Services department shall plan, establish, implement and maintain an audit program, including the frequency, methods, planning requirements, and reporting associated with the program.

(6) Policy Maintenance

The Chief Information Security Officer shall review and recommend changes to this policy statement at least annually or more frequently as needed to respond to changes within the institution and the regulatory environment.

(7) Implementation

Failure by an individual to comply with the university policies on information security and privacy may result in disciplinary action up to and including termination for university employees, contract termination in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student.

The university reserves the right to pursue appropriate legal actions to recover any financial losses suffered as the result of a violation of the university policies on information security and privacy.

(8) Additional Information

For additional resources, further information on this policy statement, or for a definition of any term used in this policy document, please see the Security Services website.

[Responsibility: AVP of ISS; Authority: Cabinet/UPAC; Reviewed/Endorsed by: Cabinet/UPAC; Review/Effective Date: 06/04/2014, 02/03/2021; Approved by: A. James Wohlpart, President]

CWUP 2-70-060 Computer Center Access & Maintenance

(1) Policy

The purpose of this policy is to ensure the physical security of the CWU Computer Center (CWUCC) which houses the central computing resources for the university including the Computer Operations Center, Network Operations Center and Telecommunications Center.

All personnel requiring access to the CWUCC who are not permanently assigned to the CWUCC are to register at the main Operations Desk.

The name and location of the CWUCC will remain anonymous to the greatest extent possible. The building, physical location, and other identifying characteristics will remain anonymous in order to protect the location from unauthorized access and activities. All references are protected from public disclosure as critical computing assets pursuant to RCW 42.56.420.

In the event of an emergency situation during hours when the CWUCC is not staffed, authorized personnel requiring access may do so without notification. Emergency situations are limited to events which are highly likely to adversely impact the operational integrity of the CWUCC or may result in equipment damage or personal injury. Personnel are to register and notify IS operations staff at the earliest convenience with the specifics of the emergency and any actions taken.

Only personnel with a business need to enter the facility are granted access. IS management and/or its delegated staff is authorized to deny access to any individual who does not have a business need or who violates this policy. Policy violations will lead to disciplinary action.

(2) Scope

This policy applies to the physical access of the CWUCC and is applicable to all students, faculty, staff, student employees, and outside contractors that are affiliated or conduct work on behalf of the University.

(3) Responsibilities

The Chief Information Officer (CIO) or other designee is responsible for this policy and the relevant procedure, Computer Center Access & Maintenance Procedure.

Information Services is responsible for developing the procedures for authorizing access to the CWUCC. (See CWUR 7-70-020 Computer Center Access & Maintenance Procedure.)

(4) Policy Maintenance

The CIO will review and recommend changes to this policy statement at least annually or more frequently as needed to respond to changes within the institution and the regulatory environment.

[Responsibility: AVP of ISS; Authority: Cabinet/UPAC; Reviewed/Endorsed by: Cabinet/UPAC; Review/Effective Date: 02/11/2015; Approved by: A. James Wohlpart, President]

CWUP 2-70-070 Computer Equipment Replacement Purchasing and Disposal

(1) Policy

CWU is committed to life-cycle replacement of faculty and staff computing equipment to ensure their primary computing resource is sufficiently modern, powerful, functional, and secure. In the fulfillment of this commitment, this policy is designed to guide the regular replacement of computing equipment and to centralize computer equipment replacement, purchasing, and disposal within the Information Services and Security department.

(2) Scope

This policy applies to all computing equipment provided to faculty and permanent staff purchased using University funds, other than grants, as well as all computing equipment located in classrooms and computer labs.

(A) This policy covers ONE system per employee in a four-year lifecycle.

(B) Computing equipment used by student workers, temporary staff, and non-tenure track faculty with less than an academic year appointment is not covered under the equipment replacement policy.

(C) Departments may fund computing equipment for student workers, temporary staff, and non-tenure track faculty with less than an academic year appointment if the end of life-cycle computing equipment available does not fit their needs.

(3) Replacement Lifecycle
All institutionally funded computing equipment will be replaced at a regular four-year lifecycle. The Information Services (IS) department will maintain a computer asset management database to establish the purchase and replacement date of computing equipment. When financially possible, computing equipment will be replaced in the fiscal year occurring after the end of the lifecycle period.

(4) Computing Equipment Fund

Beginning in FY22 and in all subsequent years, in conjunction with the annual budget planning cycle, the University will establish an annual computing equipment fund sufficient to replace the computing equipment that will be at end of lifecycle status during that year. All computing equipment purchased by the institution with the computing equipment fund and the computer replacement program (2018-19) are the property of the institution, not of the department or individual.

(5) Responsibilities

The Associate Vice President for Information Services and Security is responsible for this policy and the relevant procedure, CWUR 7-60-070.

(4) Policy Maintenance

The Associate Vice President for Information Services and Security will review and recommend changes to this policy at least annually or more frequently as needed to respond to changes within the institution. This policy is subject to change based on periodic review, budgetary constraints, or other factors.

[Responsibility: AVP of ISS; Authority: Cabinet/UPAC; Reviewed/Endorsed by: Cabinet/UPAC; Review/Effective Date: 04/14/2021; Approved by: A. James Wohlpart, President]

CWUP 2-70-080 Identity and Access Management Framework

Identity and access management (IAM) is a framework of business processes, policies, and technologies that facilitates the management of electronic or digital identities. IAM provides secure and auditable access to systems and applications, as well as enabling user lifecycle management. The operational improvements and benefits delivered by IAM help advance core business drivers such as:

Improve end-user experience, efficiency, security, and control cost

Reduce risk

Enhance audit and meet regulatory compliance

(1) Policy

The purpose of this policy is to define and implement IAM technologies that can be used to initiate, monitor, and manage digital identities and their related access permissions throughout their lifecycle. This is to be done in an automated manner when possible, with consideration for the need to balance the speed and automation of processes with the control that administrators need to monitor and modify access rights, all while looking to increase efficiencies, without compromising security.

CWU shall implement and maintain procedural, physical, technical, and regulatory safeguards and controls that are reasonable and appropriate for the level of information security risk. Those safeguards are to include but not limited to the following components:

Utilization of credential management tools.

Assigning levels of access to individuals or groups through provisioning processes and security policy enforcement.

Protecting the data within the system(s) appropriate with its' classification and securing the system itself.

Digital identity governance.

Reporting and auditing.

Allow comprehensive management and authentication of users.

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27001:2013 information security standard shall be used as a guiding standard, in conjunction with the National Institute of Standards and Technology Framework (NIST). All implemented security controls will be commensurate with asset value, aligned with the appropriate compliance requirements, and as may be determined by an internal risk assessment process.

(2) Scope

This policy establishes the IAM framework for CWU and applies to all information systems and information resources owned or operated by or on behalf of the university. All employees are responsible for understanding and adhering to this policy.

(3) Responsibilities

The Chief Information Officer is responsible for the operation, management, and oversight of the IAM framework, which assigns and manages digital identities for the university.

(4) Policy Maintenance

The Chief Information Security Officer shall review and recommend changes to this policy statement at least annually or more frequently as needed to respond to changes within the institution and the regulatory environment.

(5) Implementation

Failure by an individual to comply with this policy may result in disciplinary action up to and including termination for employees, contract termination in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student.

The university reserves the right to pursue appropriate legal actions to recover any financial losses suffered as the result of a violation of the University policies on information security and privacy.

(6) Additional Information

For additional resources, further information on this policy statement, or for a definition of any term used in this policy document, please see Security Services website.

[Responsibility: AVP of ISS; Authority: Cabinet/UPAC; Reviewed/Endorsed by: Cabinet/UPAC; Review/Effective Date: 04/14/2021; Approved by: A. James Wohlpart, President]