System Security Standard Find out the standard ways to secure a system at UW Medicine
New Data Stewardship Training Know your Role and Responsibilities for Confidential Information
How to Encrypt Computing Devices and Electronic Data How do I encrypt?
Information Security Policies Home of the Information Security Policies
Departmental Training Materials Training materials for use in departmental education
Self Service Vulnerability Assessement Find your Vulnerabilities
Frequently Asked Questions Find Security related answers
Glossary of Terms Information Security Term Definitions
Contact the Information Security Team We are here to Help
Secure Remote Access UW Medicine Networks Team
UW Office of the CISO UW Chief Information Security Officers Website
The System Security Standard defines the standard practices used to secure computing systems in order to comply with UW Medicine policy and regulatory requirements.
This standard applies to all systems that store or access University of Washington business information at UW Medicine and support essential business operations.
These standards meet the policy requirements when systems owners and administrators are designing, implementing, configuring, and maintaining their system(s).
Security controls are countermeasures designed to mitigate security risks. Examples of security controls include:
There are standard practices used throughout UW Medicine to secure systems. These standards should be used whenever possible. If your system cannot follow a standard listed below it needs to meet the capabilities listed along with each standard.
The standards listed below comply with UW Medicine policy, if your system implements controls in accordance with these standards your system will comply with the specific policy requirement(s) designated with each standard.
Applicable policy requirements: DA-1, Da-2, DI-1, DI-2, UA-1, UA-2, UA-3, UA-4, CSM-1
The University of Washington provides a wide range of authentication services using UW NetID. These services can be used for any system at UW Medicine. The services include:
UW Medicine provides a domain called "AMC." Any system that is networked on the AMC domain can utilize the AMC domain credentials. These credentials are managed by IT Services and are comprised of all UW Medicine workforce members. If your AMC system needs to be accessed by individuals outside of UW Medicine that do not have AMC credentials, the following services are available upon request:
If your system is unable to utilize either UW NetID or AMC accounts for access and authorization then your alternate account needs to meet the following list of capabilities:
Applicable policy requirements (PS-1)
UW Medicine manages and maintains multiple data center locations. All UW Medicine data centers are physically secured using the following controls:
The University of Washington runs multiple data center locations and coordinates with multiple co-location facilities. The data center locations provide:
University staff, researchers, and affiliated organizations are eligible to use these data center services. See the Data Centers and Mission Critical Facilities Operations Policy
The University data centers are physically secured using the following requirement categories:
If your system is not housed in one of the UW or UW Medicine managed data centers then the areas that the system is housed in should meet the following physical security capabilities:
Applicable policy requirements: (DB-1, DB-2)
UW Medicine IT Services has a data backup agreement in place with Iron Mountain. This agreement covers the backup, storage, and recovery of all UW Medicine data center systems. Under this agreement the systems housed in the data center will have:
The State of Washington also has a contract in place with Iron Mountain for Storage Offsite of Data/Computer Tapes. This contract is extended to all state agencies, political subdivisions of Washington and Oregon states, Qualified Non-profit Corporations, Materials Management Center, Participating Institutions of Higher Education (College and Universities, Community and Technical Colleges).
UW Medicine IT Services also provides a tape data backup for servers that are managed by IT Services - TSO. Departmental servers can subscribe to the tape backup services upon request and subject to terms and conditions. This service provides:
The University of Washington offers a data backup and archive service for systems that reside in one of its managed data centers. This service offering utilizes the Tivoli Storage Manager (TSM) service which includes:
If your system is not housed in a UW or UW Medicine data center then the backup of electronic data on the system is the responsibility of the system owner. The following capabilities should be met for backing up of the system:
Applicable policy requirements (NSMC-1)
Most software on systems is delivered with default vendor passwords and network protocols enabled. System Administrators should make sure that the configuration of their system has addressed the following:
All systems at UW Medicine should use firewalls whenever possible. Firewalls, when properly configured, will mitigate most network based attacks. Here are the standard firewalls used at UW Medicine and how they should be configured.
Applicable policy requirements (DT-1)
The use of encryption to protect electronic data is highly recommended for any system that transmits restricted or confidential electronic data.
When transmitting restricted or confidential electronic data, a secure form of electronic transmission should be utilized whenever possible. Secure forms of electronic transmission include:
Transport Layer Security (TLS)/Secure Sockets Layer (SSL) - TLS/SSL encryption is the preferred method of implementing encryption on UW Medicine electronic data that is transmitted across any network. It should be implemented in such a way that the electronic data is encrypted prior to leaving the host system.
If TLS/SSL encryption cannot be utilized on your system then an alternate encryption method needs to be implemented that meets UW Medicine Security Standard SS-03 Encryption Standard.
If no encryption can be implemented than alternate controls need to be used to insure the data is protected in transit.
Applicable policy requirements (EL-1, EL-2, EL-3)
The ability to look back at events that have occurred on a system once an issue is identified is critical in determining the cause and remediating the issue. In order to look at past events, event logging needs to be enabled on the computing device and reviewed regularly.
Log examples: Authorization logs, application change logs, user privilege logs, firewall logs.
Windows Event Logging - In Windows based operating systems, Windows Logs and Application and Services Logs should be monitored on a regular basis.
Mac OS Event Logging - In Apple based operating systems, Firewall logs, System logs, and any application specific logs should be monitored on a regular basis.
UNIX Event Logging - In UNIX based operating systems, Syslog, Sudo Logging, and SSH Logging should be monitored on a regular basis.
Event Log Storage - Event logs are considered Restricted information. As a result, all event logs should be stored off the system and should follow the minimum backup and retention requirements. Use of a centralized event management system capable of collection, analysis, and alerting is highly recommended.
Applicable policy requirements (SLRA-1, SLRA-2, SLRA-3)
All UW Medicine systems need to have a completed risk assessment documented and maintained. This is to insure that all aspects of security policy, regulatory requirements, and business continuity have been met.
The UW Medicine System Level Risk Assessment Standard is comprised of the following four areas:
Security Control Documentation - All security controls used to meet policy requirements, regulatory requirements, and needed to secure the hardware or electronic data on the computing device(s) needs to be fully documented.
Vulnerability Assessment - A complete vulnerability scan needs to be performed on the system. UW Medicine's preferred tool for this is Nexpose by Rapid7, which is managed and maintained by ITS - Security.
Risk Mitigation Plan - Any critical vulnerabilities or gaps in security controls need to be documented with a complete remediation plan.
Maintain Documentation - All risk assessment documentation needs to be reviewed at least annually and signed off for accuracy.
Applicable policy requirements (BC-1, BC-2, DRT-1)
Business continuity plans identify how a system impacts business operations at UW Medicine and details how the business operations it supports will continue if the system is adversely impacted.
The business continuity plan should be provided to all entity business operation managers that rely on the system for daily operations so they can adequately prepare for operational impacts from any possible system downtime.
Applicable policy requirements (SA-1)
If your system is supported in any way by an outside vendor, all agreements need to be signed by authorized UW Medicine personnel and kept on file by the system owner. Only UW Medicine workforce with explicit authority to enter into agreements on behalf of the University may sign agreements.
All agreements should be reviewed and approved prior to the purchasing of the system to insure that all legal aspects of the agreements are addressed prior to entering any arrangement with non-UW Medicine personnel.
If the vendor (third party) is going to have access to or be provided confidential electronic data, a Data Security Agreement (DSA) needs to be one of the service agreements included in the documentation.
If the confidential information being accessed or provided to the third party includes ePHI and the third party is classified as a Business Associate, a Business Associates Agreement (BAA) also needs to be part of the included documentation.
This standard was signed and approved by: