University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Security Assessment and Authorization

UPPM 87.20

For more information contact:
Information Technology Services

1.0 Overview and Purpose
- 1.1 Information Assurance Policies Generally
- 1.2 Specific Policy Overview and Purpose
2.0 Applicability
3.0 Roles and Responsibilities
4.0 Requirements
5.0 Training

1.0 Overview and Purpose

1.1 Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.

To determine the potential consequence of a loss event, the Federal Information Processing Standards:

Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
Dictate which security controls are mandatory based upon the categorization level;
Define the strength, frequency, and formalization of those controls; and
Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2 Specific Policy Overview and Purpose

Evaluating and authorizing information systems through the use of structured, risk‑based security assessments helps ensure the security of WSU systems and protects WSU systems and data. This policy establishes roles, responsibilities, and requirements for security assessments and reports, testing, monitoring, and security authorization and reauthorization across the University.

2.0 Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0 Roles and Responsibilities

3.1 Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2 Information System Owners

Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.

3.3 Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0 Requirements

4.1 Security Assessment Plan

Information System Owners must prepare a security assessment plan for information systems and services under their care that describes the scope of the assessment. The plan is to include:

Information security and privacy controls under assessment;
Assessment procedures to be used to determine security control effectiveness;
Assessment environment;
Assessment team;
- Moderate- and high-impact systems are to be assessed by independent assessors (e.g., Internal Audit or an external third-party if required by contract) or independent assessment teams. High-impact systems must undergo specialized assessments that correspond to the threat landscape of the system.

Assessment roles and responsibilities; and
Assessment of the information security controls of the information system and its environment of operation, which is to be conducted at least annually. This assessment must determine the extent to which the security controls are:
- Implemented correctly;
- Operating as intended; and
- Producing the desired outcome with respect to meeting established security requirements.

A plan of action for identified deficiencies in security controls is to be developed and approved by the appropriate WSU Information Owners, or their delegates.

4.2 Security Assessment Report

The assessment team must produce and provide a security assessment report, including a plan of action for identified deficiencies in security controls documenting the results of the assessment to the:

Information Owners, or their delegates; and
Information System Owners, or their delegates.

Note: The assessment team is not responsible for developing the plan of action and milestones.

4.3 Penetration Testing

For high-impact systems, penetration testing assessments must be performed to identify vulnerabilities in the system by an independent entity (e.g. OISA’s SOC) in accordance with UPPM 87.17.

4.4 Information Exchange

Information System Owners, or their delegates, must document and authorize all internal system connections as well as data sharing connections between institutional information systems within the University and organizations that are external to the University. Write permissions or privileges must be verified prior to the initial transfer of data to interconnected systems to ensure the receiving system is authorized to receive the data.

4.5 Data Sharing Agreements

Data sharing agreements are to include, at a minimum, the information security and privacy requirements and the nature of the information to be shared. The appropriate Information Owners, or their delegates, are to periodically review the data sharing agreements.

4.6 Security Authorizations and Reauthorizations

Information Owners, or their delegates, are assigned as Authorizing Officials for the information systems/services within their areas of responsibility. Authorizing Officials are to approve information systems and services for processing before information systems are placed into service.

Security authorizations are updated annually. Security reauthorizations are to be based on:

Employment of continuous monitoring processes;
Security and risk assessment reports; and
Plan of action and milestones.

4.7 Continuous Monitoring

The WSU OISA shall develop a WSU continuous monitoring strategy that includes:

Information system metrics to be monitored;
Frequency that the system is to be monitored;
Frequency of security assessments supporting such monitoring;
Ongoing security control assessments;
Ongoing security status monitoring;
Correlation and analysis of security-related information generated by assessments and monitoring;
Response actions to address results of the analysis of security-related information; and
Reporting requirements on the status of institutional information systems to the responsible Information Owners, other appropriate business unit personnel according to their roles, and the Chief Information Security Officer (CISO).

Risk monitoring must be an integral part of any continuous monitoring strategy and includes:

Effectiveness monitoring of implemented risk response measures;
Compliance monitoring to verify required risk response measures are implemented; and
Change monitoring to identify changes to the environment that may affect security and privacy risk.

WSU Information System Owners, or their delegates, are required to implement the WSU continuous monitoring strategy for information systems and services under their care.

Continuous monitoring of moderate- and high-impact systems is to be performed by the WSU Security Operation Center (SOC) or other independent teams to monitor the security controls of the system on an ongoing basis.

5.0 Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions: March 2026 (Rev. 654); July 2020 – new policy (Rev. 552)