Skip to content

IT Security Plan Reporting and Plans

What It Is

The University of Washington requires all units to “implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of institutional information that it creates, receives, maintains, or transmits.”

For more details, please read the University’s Administrative Policy Statement 2.6

Who It Is For

The Executive Heads of Major University Organizations are responsible for the risks associated with their assets. They must document and implement an Information Security Plan that demonstrates due care in securing their assets by meeting the intention of the controls in this policy statement. The plan must address *each* of these requirements and include the following.

  • Delegate Plan responsibilities to the appropriate people (e.g., system owners, system operators).
  • Include a Plan implementation timeline and milestones.
  • Describe the organization’s approach to implementing the Plan (e.g., by Unit, Researcher/PI Labs, functional areas or by asset type).
  • Document critical assets and the controls that are implemented for each of them.
  • Describe alternate or compensating controls and the rationale for selecting them.

How To Create A Plan

Step One: Create and Categorize an Inventory of Information Assets

The first step in documenting and implementing an Information Security Plan is to create an inventory of information assets. eSITS will be developing and posting an information asset survey that units can use on an annual basis.

  • Information assets may be a physical, software, or other information technology component that stores or processes Public, UW Confidential or UW Restricted data.
    • Public Data: University information that is published for public use or has been approved for public use by the appropriate University authority. Public information may not be exempt from public disclosure but does need careful management to safeguard its integrity and availability.
    • UW Confidential data: Since we’re talking about data that is covered by law or regulation, examples come up often at UW include data related to FERPA, HIPAA, and research.
      • With FERPA, that’s student educational records, so grades, courses taken, advising notes, etc. If the student opts out of releasing directory information, then the directory information is confidential for that student.
      • For HIPAA, that’s data that is considered personal health information.
      • For research, if there’s personal data that is part of a project that has gone through the Office of Sponsored Programs and the Common Rule (45 CFR 46) applies, then that data is confidential.
      • Title IX investigation data.
      • Special note: While a data processing agreement is not a law/regulation, we would consider personal data protected by the agreement to be considered confidential.
    • UW Restricted data: This is data not specifically covered by law but would not be made available to the public unless requested, say for example by a public records request. This could include operational data – information we send to our colleagues over email, infrastructure plans, meeting agendas and minutes, budget information. Employment law is complex and we don’t want to get into the weeds here, but I would consider HR data about people that gets included in a public records request restricted.

Call out those considered critical.

  • A critical asset supports your organization, unit, or PI/Researcher’s mission.
  • A critical asset usually contains UW Confidential or UW Restricted data.

eSITS is providing a template and example designed to assist with identifying, tracking, and classifying those assets and asset groups. Guidance and definitions are provided in the template:

Step Two: Document your Plan

With your critical assets identified, you can start developing your Information Security Plan to document the security controls in place to secure those assets. The following templates and example plans have been specifically developed to assist with that effort.

Unit Level Plan Templates and Example. The are used for your unit.

Unit Lab or Group Templates and Examples. These are used for research labs or groups within your unit.

Step Three: Submit your Plan and Asset List to eSITS

eSITS is facilitating the submission and review of Information Security Plans within the College of the Environment. Submit your completed Plan to eSITS using the following form

After Completion

eSITS will store and manage completed plans. Plans must be reviewed annually, and eSITS will help by facilitating update timelines and initiating annual reviews of Units’ Plans

More Information

For more information on Information Security and the requirements set forth in APS 2.6, please visit the Office of Information Security Website

Completed Plans by Unit

Security Plans in compliance with the University of Washington Administrative Policy Statement 2.6 are made available to members of the department via SharePoint. The following units have provided plans: