System Security Certification

UW Medicine security policy SEC-05 requires that each system meet mimimum security standards. The purpose of the System Security Certification process is to help you document your compliance efforts.

The following sections describe the process to follow and the suggested forms and documentation to supply. Below that are sample documents and a PowerPoint presentation about the process.

The Process

This diagram shows the System Security Certification process.

In general, document your system, create a USD ticket and submit your documentation. SIT will review your documentation and possibly ask you to update some of the documents. When done, SIT will issue an email declaring that your certification has been reviewed.

When you create the USD ticket, assign it to the SIT group and set the category to Security.Certification. Then attach the documents described below.

The Documents

Please supply these documents:

1. The System Owner must fill out the Certification Form. Use a single form for multiple servers if they all conform to the same standards and ICR. Fill in both the top and middle sections of the form. The middle section does not need a real signature. The System Owner needs to fill in their name, email address, and the date they want to use as the certification date. Email it or attach it to the USD ticket. Please don't send a FAX or paper version.
2. The Certification Worksheet is used to document the steps you take to secure your system. Please respond with specific details to document your method of meeting each security policy. If a computer is built to meet some standard, mention the standard, even giving a link the standard. You may want to submit supplemental documents, such as vendor documentation, to support some of your answers.
3. Supply a system diagram to explain the interplay between each computer system, any firewalls or VPN, and the user workstations. The diagram should try to show:
   • External firewalls such as Nokia, Netscreens, and subnet-level bridging firewalls.
   • VPN connections, vendor access.
   • Customers, source data.
   • Servers, destination data storage.
   • Data centers, physical locations.
   • Protocols allowed/denied. This may be covered in the firewall rules.
4. Supply a description of the firewall rules. If one of your servers will be placed in a data center, you should contact SIT to help review the firewall design.The review will determine which data center and which firewall zone should be used. The specific firewall rules will also be designed. Submit a USD ticket, assigned to the SIT group, with the category Security.Certification to start the review.
5. Use a security analysis tool (e.g., MBSA for Windows systems), to check the security of your system. Supply the resulting report. Supply a complementary document to address any problems that were found.

Examples

If you supply a document that looks like one of the bad examples, you will be asked to resubmit until yours look like the good example. The typical problem with the initial certification request is that it is not specific. For example, if you tell an auditor that you built a computer to a standard he will immediately ask you "Which standard?"

• Certification Form: Good Bad
• Certification Worksheet: Good Bad
• Certification Diagram: Good Good
• Certification Firewall Rules: Good

Class Notes

A short presentation is here: PowerPoint and OpenOffice