UW Medicine Information Security Program Banner Graphic
UW | UW Medicine | IT Services

System Security Certification

UW Medicine security policy SEC-05 requires that System Owners and System Operators (SOSOs) meet mimimum security standards for each of their systems and that they document their security controls. System Security Certification is a required process whereby SOSOs assert their compliance to policy and provide this information to the Security team for review.

The Process

The SOSO has several important things to do before requesting a System Security Certification:

  1. Determine requirements. Security requirements come from UW Medicine Information Security policies and standards, UW Security policies and standards, local departmental policies and standards, and other sources depending on the nature of the system and its data. For example, some systems funded by Federal grants may need to meet Federal security directives and systems dealing with credit cards need to comply with Payment Card Industry contractual obligations. SOSOs are required to attend SOSO training, which provides an introduction to UW Medicine Security policies.
  2. Design controls. Based on requirements, SOSOs design their security controls, including those for physical security, authentication, authorization, patch management, protection from malware, firewalls, data backup and recovery, etc. Collaboration with other technical support teams will often be required. (See note on System Security Design.)
  3. Build system. SOSOs and/or their technical support teams build the system per the design.
  4. Test controls. SOSOs and/or their technical support teams verify that security controls have been implemented as designed and, where possible, test them for effectiveness.
  5. Document design. The SOSO should keep detailed records of their final design.
  6. Complete required certification documents. This includes the Certification Form, Certification Worksheet, and a system diagram. See section below for more information.
  7. Submit information. Email required documents to uwmed-secops@u.washington.edu.

The Security team will then take the following steps:

  1. Create USD ticket. Security on-call will read incoming email and create a standard Security.Certification ticket.
  2. Save attachments. Security on-call will save the attached documents to a new folder in the established fileshare for this purpose.
  3. Review documents. The assigned security engineer will review the submitted documents for completeness. If documents are missing, unclear, or incomplete the SOSOs will be contacted to correct this.
  4. Email System Owner/Operator. Once the documents have been reviewed and deemed complete, the security engineer will contact the SOSOs to let them know the review has been completed.
  5. Close USD ticket. The security engineer closes the USD ticket.

This diagram shows the System Security Certification process in flowchart form.

Completing the Certification Documents

  1. The System Owner must fill out the Certification Form. Use a single form for multiple servers if they are all part of the same system. Fill in the form completely. The signature block does not need a handwritten signature. Please don't send a FAX or paper version.
  2. The Certification Worksheet is used to document the steps you've taken to secure your system. Please respond with specific details to document your method of meeting each security policy.
  3. Supply a system diagram that shows all the components of your system, their locations, and the network connectivity requirements among system components, client devices, vendors, and shared infrastructure such as DNS servers, file and print services, VPNs, etc. The diagram should indicate specific network ports and protocols that are required and should be suitably detailed so that firewall rules can be built from it.

Examples

Some examples of required documents are included below to give a better idea of what we are looking for.

© copyright 2010 | UW Medicine | all rights reserved