University Policies and Procedures Manual (previously Business Policies and Procedures Manual)
Information Security Planning
UPPM 87.15
For more information contact:
Information Technology Services
Contents
1.0 Overview and Purpose
1.1 Information Assurance Policies Generally
The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:
- Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
- Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
- Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.
The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.
To determine the potential consequence of a loss event, the Federal Information Processing Standards:
- Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
- Dictate which security controls are mandatory based upon the categorization level;
- Define the strength, frequency, and formalization of those controls; and
- Influence audit burden and continuous monitoring rigor.
See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.
1.2 Specific Policy Overview and Purpose
Comprehensive information system security planning safeguards WSU data, systems, and information technology resources from evolving threats. This policy sets forth roles, responsibilities, and requirements to ensure robust and thorough system security planning, thereby supporting and advancing the University’s academic, research, and administrative missions.
2.0 Applicability
This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.
Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.
3.0 Roles and Responsibilities
3.1 Chief Information Officer
The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.
3.2 Information System Owners
Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.
3.3 Office of Information Security and Assurance (OISA)
WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).
Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.
4.0 Requirements
4.1 Information System/Service Owner
WSU Information Owners, or their delegates, must identify the Information System/Service Owners for the WSU institutional information for which they are responsible.
Every WSU information system/service must have an identified Information System/Service Owner to ensure that all WSU information systems and services meet the appropriate information security and privacy requirements of the IT system/service.
WSU Information Owners, or their delegates, are accountable to coordinate with the WSU System/Service Owners, or their delegates, to categorize the IT systems and services within their area of responsibility as low-impact, moderate-impact, or high-impact, in accordance with FIPS 199. The corresponding administrative, technical, and physical baseline security and privacy controls from NIST 800-53 are to be tailored and implemented to meet the specific requirements of the IT systems and services within their area of responsibility. The implemented information security and privacy controls are to be documented in the System Security Plan (SSP).
4.2 System Security Plan
SSPs are to be developed to facilitate the implementation of this policy and address:
- Appropriate information security and privacy objectives and risks;
- Information system security and privacy requirements; and
- Related controls to meet the security and privacy requirements.
System security plans are to be disseminated to the appropriate business unit personnel according to their roles.
The WSU Information System/Service Owner must prepare a SSP for all information systems/services under their care. The SSP describes the:
- IT system/service;
- Information security and privacy requirements; and
- Security and privacy controls, processes, or procedures to be in place for meeting those requirements.
A complete SSP helps to support the decision-making process for the authorizing official to approve the operation of an information system or service.
SSPs are to be reviewed and approved by a business unit authorizing official prior to system implementation.
SSPs are to be updated by the Information System/Service Owner, or their delegate, at least annually or when required by information system/environment changes.
SSPs are to be protected from unauthorized disclosure and modification.
4.2.a Specific SSP Criteria
The SSP must adhere to the criteria in the following table:
| Scope and Objectives | Define the scope and strategic objectives of the IT system/service. |
| Operational Context | Describe the operational context of the information system in terms of missions and business processes. |
| Safeguards | Provide for and document the appropriate safeguards for the information system including supporting rationale, according to the:
|
| Operational Environment | Describe the operational environment for the information system as follows:
|
| Security Requirements | Describe the security controls in place, or the plan for meeting those requirements, including a rationale for the decisions and a schedule for implementing planned controls. |
| User Responsibilities | Describe information system user responsibilities and expected behavior regarding information and information system usage. |
| Risk Management | Describe how existing or planned security controls provide adequate mitigation of risks to which the IT system is subject. |
4.2.b Information Security Architecture
The information security architecture of the information system/service must be developed and documented in the SSP:
- Provide an overview of the information security requirements;
- Describe the overall approach taken in regard to appropriately protecting the confidentiality, integrity, and availability of WSU information systems and data;
- Describe the information security architecture of the information system and how it is integrated into institutional information security architectures; and
- Describe any information security assumptions and any dependencies on external systems/services, relative to the information system being developed and implemented.
4.3 Information System/Service Acquisitions
WSU Information System Owners, or their delegates, acquiring cloud or any other third-party information systems and/or services, must implement IT system and service acquisition security and privacy controls in accordance with UPPM 87.37.
5.0 Training
See UPPM 87.21 for training requirements related to UPPM Chapter 87.
In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.
_______________________
Revisions: March 2026 (Rev. 654); July 2020 – new policy (Rev. 552)