Information Security Program
Home >> Guidance >> Standards

System Security Standard  Find out the standard ways to secure at system at UW Medicine

New Data Stewardship Training  Know your Role and Responsibilities for Confidential Information

How to Encrypt Computing Devices and Electronic Data  How do I encrypt?

Information Security Policies  Home of the Information Security Policies

Departmental Training Materials  Training materials for use in departmental education

Self Service Vulnerability Assessement  Find your Vulnerabilities

Frequently Asked Questions  Find Security related answers

Glossary of Terms  Information Security Term Definitions

Contact the Information Security Team  We are here to Help

Secure Remote Access  UW Medicine Networks Team

UW Office of the CISO  UW Chief Information Security Officers Website

System Security Standard

Click here for PDF Copy

Department: IT Services

Policy Number: SS-01

Effective Date: February 14th, 2013

Revision Date:

Reviewer:

Purpose

The System Security Standard defines the standard practices used to secure computing systems in order to comply with UW Medicine policy and regulatory requirements.

Applicability

This standard applies to all systems that store or access University of Washington business information at UW Medicine and support essential business operations.

Standard

These standards meet the policy requirements when systems owners and administrators are designing, implementing, configuring, and maintaining their system(s).

Security Controls

Security controls are countermeasures designed to mitigate security risks. Examples of security controls include:

  • Physical controls such as locked doors and air conditioning
  • Procedural controls such as incident response processes and security awareness training
  • Technical controls such a user authentication and authorization, firewalls, and anti-virus software
  • Legal controls such as policies and contracts

There are standard practices used throughout UW Medicine to secure systems. These standards should be used whenever possible. If your system cannot follow a standard listed below it needs to meet the capabilities listed along with each standard.

The standards listed below comply with UW Medicine policy, if your system implements controls in accordance with these standards your system will comply with the specific policy requirement(s) designated with each standard.

  1. Access and Authorization Standard

  2. Applicable policy requirements: DA-1, Da-2, DI-1, DI-2, UA-1, UA-2, UA-3, UA-4, CSM-1

    UW NetID (University of Washington Account)

    The University of Washington provides a wide range of authentication services using UW NetID. These services can be used for any system at UW Medicine. The services include:

    • Active Directory via Kerberos/NTLM v2 for applications and Windows devices
    • UW Kerberos for applications and Unix/Linux devices
    • Pubcookie for internal and external web applications
    • Shibboleth for internal and external web applications
    • Tokens (Entrust) for one-time and two factor password authentication

    AMC (UW Medicine Account)

    UW Medicine provides a domain called "AMC." Any system that is networked on the AMC domain can utilize the AMC domain credentials. These credentials are managed by IT Services and are comprised of all UW Medicine workforce members. If your AMC system needs to be accessed by individuals outside of UW Medicine that do not have AMC credentials, the following services are available upon request:

    • Organized Healthcare Arrangement (OHCA) see UW Medicine Privacy Policy PP-01
    • Business Associates Agreement (BAA) see UW Medicine Privacy Policy PP-12
    • Contractual Agreements for Access to ePHI see UW Medicine Privacy Policy PP-20a Attachment B
    • U-Link for Referring Healthcare Professionals or External Healthcare Professionals for Continuity of Care see UW Medicine Privacy Policy PP-20a Attachment D
    • Other Non-UW Medicine Workforce must have Director or Administrator authorization and they must sign the Privacy, Confidentiality and Information Security Agreement see UW Medicine Privacy Policy PP-20a Attachment E

    Non UW NetID or AMC Account -

    If your system is unable to utilize either UW NetID or AMC accounts for access and authorization then your alternate account needs to meet the following list of capabilities:

    • Ability to assign unique user IDs to individuals
    • Ability to use strong passwords that include:
      • A minimum of 8 characters
      • Uppercase letters
      • Lowercase letters
      • Numbers
      • And special characters (i.e. - ! @ # $ % & *)
    • Ability to change passwords a minimum of every 120 days
    • Ability to assign permissions to systems, applications, workstations for specific users
  3. Physical Security Standard

  4. Applicable policy requirements (PS-1)

    UW Medicine Data Centers -

    UW Medicine manages and maintains multiple data center locations. All UW Medicine data centers are physically secured using the following controls:

    • All individuals requesting access must be authorized and agree to terms outlined in the Data Center Access Form
    • All individuals will be assigned to an Access Group by the Data Center Manager. The access groups are:
      • Access Control - Data Center Manager or Delegate Only
      • DCOM - DCOM personnel Only
      • Unescorted - System Administrators, Networks, or Facilities personnel Only
      • Escorted Access - All other approved individuals
    • Approved individuals associated information will be added to access list
    • All doors have key card readers
    • An SDM ticket will generated for all non-DCOM access
    • No Food or Drink allowed in data center area
    • Logoff and Close all KVM consoles upon leaving
    • Only DCOM personnel are authorized to change or connect anything to existing infrastructure
    • No storage (media, etc.) in any server cabinet
    • No packaging material left in data center
    • All vendors and contractors must be escorted
    • No raising of floor tiles without DCOM assistance
    • No photographs or video pictures are to be taken without prior permission
    • All data centers use video surveillance
    • All video surveillance is reviewed daily

    See also, the UW Medicine Information Technology Services Physical Security Policy and Procedures

    University of Washington Datacenters -

    The University of Washington runs multiple data center locations and coordinates with multiple co-location facilities. The data center locations provide:

    • Full rack cabinets
    • Half rack cabinets
    • Public and/or private IP addresses
    • DHCP plus static IP addresses
    • Generator backup for systems meeting high availability criteria
    • 10 GigE network connection
    • Data backups and archives or Data storage services
    • In-line firewall services

    University staff, researchers, and affiliated organizations are eligible to use these data center services. See the Data Centers and Mission Critical Facilities Operations Policy

    The University data centers are physically secured using the following requirement categories:

    • Personnel safety
    • Air condition and Air quality
    • Authorization and acces (as they apply to physical access)
    • Modification and Change
    • Decommissioned Equipment
    • Electrical Power
    • Documentation and Labeling
    • Equipment and Cabling
    • Environmental Cleanliness
    • and Authorized User Conduct

    See also the Data Centers and Mission Critical Facilities Operations Procedures

    Non-UW or UW Medicine Data Center -

    If your system is not housed in one of the UW or UW Medicine managed data centers then the areas that the system is housed in should meet the following physical security capabilities:

    • Locked door to room or other physical space occupied by system
    • Ability to log physical access to the system by authorized workforce
    • Ability to meet Heating, Ventilation, and Air conditioning (HVAC) needs of system
    • Proper electrical power and backup power requirements
    • Environmental cleanliness procedures, may be covered by facilities and maintenance
    • Process for disposal of equipment and electronic data
  5. Back up and Restoration Standard

  6. Applicable policy requirements: (DB-1, DB-2)

    UW Medicine

    UW Medicine IT Services has a data backup agreement in place with Iron Mountain. This agreement covers the backup, storage, and recovery of all UW Medicine data center systems. Under this agreement the systems housed in the data center will have:

    • Scheduled data backup pickups
    • Special timeframe pickup availability
    • Backup transportation to Iron Mountain facility
    • Storage at Iron Mountain Vault

    The State of Washington also has a contract in place with Iron Mountain for Storage Offsite of Data/Computer Tapes. This contract is extended to all state agencies, political subdivisions of Washington and Oregon states, Qualified Non-profit Corporations, Materials Management Center, Participating Institutions of Higher Education (College and Universities, Community and Technical Colleges).

    UW Medicine IT Services also provides a tape data backup for servers that are managed by IT Services - TSO. Departmental servers can subscribe to the tape backup services upon request and subject to terms and conditions. This service provides:

    • Data backed up with strong encryption onto backup media
    • Located in tape libraries in IT Services data center, only accessible by IT Services personnel
    • Onsite and Offsite redundancy
    • Up to 6 weeks of stored data
    • 1-3 day restore time, dependent on data type and day of week requested

    University of Washington -

    The University of Washington offers a data backup and archive service for systems that reside in one of its managed data centers. This service offering utilizes the Tivoli Storage Manager (TSM) service which includes:

    • Automated data backup
    • Multi-tape copies
    • Geographically diverse lcoation storage

    Non-UW or UW Medicine Data Center systems -

    If your system is not housed in a UW or UW Medicine data center then the backup of electronic data on the system is the responsibility of the system owner. The following capabilities should be met for backing up of the system:

    • Backups performed on a regular predetermined schedule
      • Operating System
      • Hardware
      • Support systems (i.e. - power supply, peripherals, network protections)
      • Firewalls (both hardware and software)
      • Applications
    • All software used on your system should be evaluated for vulnerabilities.
    • All software should be checked for updates on a regular basis or be set to automatically update. The process used for verifying your software is up to date should be documented as part of your system maintenance procedure.
  7. Network Security and Protection against Malicious Code Standard

  8. Applicable policy requirements (NSMC-1)

    Configuration Management -

    Most software on systems is delivered with default vendor passwords and network protocols enabled. System Administrators should make sure that the configuration of their system has addressed the following:

    • Removal of any vendor accounts (unless needed to meet an agreement with the vendor for support purposes)
    • Change of all vendor supplied passwords for default accounts
    • Disabling of all network protocols that are not needed for the system to perform its business purpose (i.e.- FTP, SSH, SNMP, ICMP)
    • Do not run scripts/processes with administrator privileges unless absolutely necessary

    Firewalls -

    All systems at UW Medicine should use firewalls whenever possible. Firewalls, when properly configured, will mitigate most network based attacks. Here are the standard firewalls used at UW Medicine and how they should be configured.

    • All firewalls should be configured to block unnecessary traffic by default.
    • Centrally-managed Windows-based workstations - Windows workstations that are centrally managed should use the Sophos firewall configured through a Sophos Enterprise Console.
    • Other workstations - Almost all operating systems, including Linux-based, Microsoft, and Apple products, have built in firewalls, which should be enabled.
    • Windows-based servers - Symantec Endpoint Protection is a centrally managed host-based firewall system for Windows 32-bit and 64-bit servers. Contact the UW Medicine Help Desk for more information.
    • Juniper Netscreen - Netscreen 5GT, Juniper SSG-5, Juniper SSG-140, and Juniper ISG-1000 firewalls are in widespread use within UW Medicine to protect end devices that do not have host based firewalls.
      • Netscreen firewalls should be deployed wherever host-based firewalls are not able to be.
  9. Encryption Standard

  10. Applicable policy requirements (DT-1)

    The use of encryption to protect electronic data is highly recommended for any system that transmits restricted or confidential electronic data.

    When transmitting restricted or confidential electronic data, a secure form of electronic transmission should be utilized whenever possible. Secure forms of electronic transmission include:

    Transport Layer Security (TLS)/Secure Sockets Layer (SSL) - TLS/SSL encryption is the preferred method of implementing encryption on UW Medicine electronic data that is transmitted across any network. It should be implemented in such a way that the electronic data is encrypted prior to leaving the host system.

    If TLS/SSL encryption cannot be utilized on your system then an alternate encryption method needs to be implemented that meets UW Medicine Security Standard SS-03 Encryption Standard.

    If no encryption can be implemented than alternate controls need to be used to insure the data is protected in transit.

  11. Event Logging Standard

  12. Applicable policy requirements (EL-1, EL-2, EL-3)

    The ability to look back at events that have occurred on a system once an issue is identified is critical in determining the cause and remediating the issue. In order to look at past events, event logging needs to be enabled on the computing device and reviewed regularly.

    Log examples: Authorization logs, application change logs, user privilege logs, firewall logs.

    Windows Event Logging - In Windows based operating systems, Windows Logs and Application and Services Logs should be monitored on a regular basis.

    Mac OS Event Logging - In Apple based operating systems, Firewall logs, System logs, and any application specific logs should be monitored on a regular basis.

    UNIX Event Logging - In UNIX based operating systems, Syslog, Sudo Logging, and SSH Logging should be monitored on a regular basis.

    Event Log Storage - Event logs are considered Restricted information. As a result, all event logs should be stored off the system and should follow the minimum backup and retention requirements. Use of a centralized event management system capable of collection, analysis, and alerting is highly recommended.

  13. Risk Assessment Standard

  14. Applicable policy requirements (SLRA-1, SLRA-2, SLRA-3)

    All UW Medicine systems need to have a completed risk assessment documented and maintained. This is to insure that all aspects of security policy, regulatory requirements, and business continuity have been met.

    The UW Medicine System Level Risk Assessment Standard is comprised of the following four areas:

    Security Control Documentation - All security controls used to meet policy requirements, regulatory requirements, and needed to secure the hardware or electronic data on the computing device(s) needs to be fully documented.

    Vulnerability Assessment - A complete vulnerability scan needs to be performed on the system. UW Medicine's preferred tool for this is Nexpose by Rapid7, which is managed and maintained by ITS - Security.

    Risk Mitigation Plan - Any critical vulnerabilities or gaps in security controls need to be documented with a complete remediation plan.

    Maintain Documentation - All risk assessment documentation needs to be reviewed at least annually and signed off for accuracy.

    All system level risk assessments should meet the UW Medicine System Level Risk Assessment Standard SS-02.

  15. Business Continuity Standard

  16. Applicable policy requirements (BC-1, BC-2, DRT-1)

    Business continuity plans identify how a system impacts business operations at UW Medicine and details how the business operations it supports will continue if the system is adversely impacted.

    Minimum data:

    • Maximum downtime prior to severe business impact
    • Business operations that are dependent on system
    • Cost of severe impact to business
    • Minimum lead time to repair
      • Hardware
      • Software
      • Ancillary systems
      • Networks

    The business continuity plan should be provided to all entity business operation managers that rely on the system for daily operations so they can adequately prepare for operational impacts from any possible system downtime.

  17. Service Agreements Standard

  18. Applicable policy requirements (SA-1)

    If your system is supported in any way by an outside vendor, all agreements need to be signed by authorized UW Medicine personnel and kept on file by the system owner. Only UW Medicine workforce with explicit authority to enter into agreements on behalf of the University may sign agreements.

    All agreements should be reviewed and approved prior to the purchasing of the system to insure that all legal aspects of the agreements are addressed prior to entering any arrangement with non-UW Medicine personnel.

    If the vendor (third party) is going to have access to or be provided confidential electronic data, a Data Security Agreement (DSA) needs to be one of the service agreements included in the documentation.

    If the confidential information being accessed or provided to the third party includes ePHI and the third party is classified as a Business Associate, a Business Associates Agreement (BAA) also needs to be part of the included documentation.


Standard Approval

This standard was signed and approved by:

  • Dr. James S. Fine, Chief Information Security Officer, UW Medicine
  • Johnese Spisso, Chief Health System Officer, UW Medicine & Vice President for Medical Affairs, University of Washington