System Security Standard Find out the standard ways to secure a system at UW Medicine
New Data Stewardship Training Know your Role and Responsibilities for Confidential Information
How to Encrypt Computing Devices and Electronic Data How do I encrypt?
Information Security Policies Home of the Information Security Policies
Departmental Training Materials Training materials for use in departmental education
Self Service Vulnerability Assessement Find your Vulnerabilities
Frequently Asked Questions Find Security related answers
Glossary of Terms Information Security Term Definitions
Contact the Information Security Team We are here to Help
Secure Remote Access UW Medicine Networks Team
UW Office of the CISO UW Chief Information Security Officers Website
This policy establishes UW Medicine requirements for protecting the confidentiality, integrity and availability of electronic data. It also addresses related regulatory requirements, and summarizes existing University policies as they apply to the use and protection of electronic data.
This Electronic Data Policy applies to all electronic data associated with UW Medicine business; UW Medicine electronic data and all other electronic data that applies to the University of Washington must also comply with UW Data Classification.
All workforce members must comply with the UW policies and the following requirements governing the classification, use, handling, transmittal, storage, retention, disposal, and manipulation of UW Medicine electronic data.
In order to know what security controls to put in place on a system and to safeguard the electronic data; it must be properly classified.
Requirement: (DC-1) All data must be classified as public, restricted, or confidential in accordance with the UW APS 2.10 - Minimum Data Security Standards: Data Classification and Related Measures of Protection.
Based on the data classification; there are specific requirements around how electronic data can be stored on a computing system or mobile computing device
Requirement: (DS-1) All electronic data must be stored on a computing device with security controls sufficient for the protection of and by the class of the data.
All user access to electronic data will be based on the "principle of least privilege".
Requirement: (DA-1) Access to electronic data must only be provided according to a user's job function. System Owners must ensure that user access is limited by job function and appropriate data access is granted based on the principle of least privilege.
Requirement: (DA-2) All workforce members that approve access for users must document the users access privileges that they approve.
All data that is not otherwise encrypted must be physically secured.
Requirement: (PS-1) Data centers and other areas where operational computer equipment with data is maintained or stored must be secured. Physical access controls and records must be maintained.
Person(s) who remove electronic data from its originating computing system are responsible for its confidentiality and integrity.
Requirement: (DR-1) Electronic data that is classified as Restricted or Confidential cannot be taken out of UW Medicine facilities without the workforce member's manager's approval (i.e. - supervisor, director, chair, dean, president).
Electronic data in transit (e.g., email, "cloud" services, copying to removable media, text messaging, etc.) must be managed in a manner that prevents inappropriate access, data loss, or alteration. No matter what method is employed to transfer data from one place to another, these requirements must be followed.
Requirement: (DT-1) All Restricted and Confidential electronic data in transit must be encrypted or otherwise physically secured in a manner that prevents its theft or inappropriate use. This includes computing system to computing system communications via shared public networks.
For guidance on how to securely use UW email, please see our Email Guidance.
When possible, verification of receipt of the Restricted or Confidential information should be provided by the data recipient.
Electronic data is vulnerable to many different threats that may make it unusable. The computing devices that store the data may also become inaccessible at times when the data is needed.
Requirement: (DB-1) All electronic data must be backed up at a frequency that meets the business need for that data.
Requirement: (DB-2) All systems designed to retain electronic data must have operational and/or electronic procedures to support emergency mode operations should the electronic data become unavailable or in case of loss. Data retained on backup electronic media must be tested for use and integrity on a regular basis.
Electronic data accumulates on computing devices and electronic storage media the longer they are in service. Much of the data used for job functions is considered Restricted or Confidential and may not be used by the next workforce member receiving that computing device.
Requirement: (DD-1) All Restricted and Confidential electronic data must be electronically erased, removed, or physically destroyed from all computing devices prior to recycling, reuse or reassignment in a manner which does not allow for its restoration with readily available resources.
Many regulatory requirements and policies stipulate that data must be retained for a specific period of time for audit and record keeping.
Requirement: (DRT-1) Electronic data must be retained in accordance with its classification and type. Legal mandates and subpoenas for data will supersede local requirements should they be in conflict.
In order for electronic data to be used properly for its intended purpose it must not be accidentally or inadvertently altered from its usable state.
Requirement: (DI-1) All electronic data must be checked for unauthorized changes according to its classification. Data with a higher criticality and classification must be verified in a manner consistent with its use and criticality.
Requirement: (DI-2) All electronic data must have safeguards in place to mitigate the possibility of unauthorized data alteration.
This policy was signed and approved by: