University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

System and Information Integrity

UPPM 87.40

For more information contact:
Information Technology Services

1.0 Overview and Purpose
- 1.1 Information Assurance Policies Generally
- 1.2 Specific Policy Overview and Purpose
2.0 Applicability
3.0 Roles and Responsibilities
4.0 Requirements
5.0 Training

1.0 Overview and Purpose

1.1 Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:

Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
Dictate which security controls are mandatory based upon the categorization level;
Define the strength, frequency, and formalization of those controls; and
Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2 Specific Policy Overview and Purpose

Ensuring that WSU’s systems and information are protected helps maintain a secure and reliable IT environment that supports WSU’s academic, research, and administrative missions. This policy establishes the requirements to prevent, detect, and correct vulnerabilities across WSU’s systems.

2.0 Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0 Roles and Responsibilities

3.1 Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2 Information System Owners

WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.

3.3 Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0 Requirements

4.1 General Requirements

Prior to implementation of information systems, WSU Information System Owners, or their delegates, are required to remediate software and firmware vulnerabilities and flaws. Security relevant software and firmware updates are to be installed in accordance with UPPM 87.30.

Software updates are to be tested in a non-production environment.

Centrally managed spam protection mechanisms must be employed at information system entry and exit points to detect and act on unsolicited messages.

Security tool malicious code protection mechanisms must be employed at information system entry and exit points as well as system endpoints.

The malicious code and spam protection mechanisms are to be automatically updated whenever new releases are available, in accordance with WSU’s OISA standards (PDF).

Malicious code protection mechanisms must perform periodic scans of information systems and take automated actions against any discovered malicious code.

File scanning must be configured to run real-time for files from external sources, as files are downloaded, opened, or executed.

Upon detection of malicious code, the malicious code protection mechanisms must block and/or quarantine malicious code and send alerts to the WSU Security Operations Center (SOC).

Information System Owners, or their delegates, must ensure that information systems are monitored to detect:

Attacks;
Indicators of potential attacks; and
Unauthorized use.

Information systems are to be monitored continuously to provide analysis of alerts and/or notifications generated by institutional information systems.

The level of information system monitoring is to be heightened when there is an indication of increased risk to operations, assets, and/or individuals.

Business units are to receive system security alerts, advisories, and directives on an ongoing basis:

Internal security alerts, advisories, and directives are to be generated and disseminated as necessary.
Security alerts, advisories, and directives are to be implemented in accordance with WSU’s OISA standards (PDF).

Business Units are to ensure that applicable internal security alerts, advisories, and directives are disseminated to institutional Area Technology Officers (ATOs), Information System Owners, and other business unit personnel as needed.

Business units must maintain a list of authorized business information systems and software. The list is to be protected to prevent loss of integrity.

WSU personnel are to be alerted to failed security and privacy verification tests and when anomalies are discovered.

WSU developers must ensure error messages generated from the information system provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.

4.2 Moderate- and High-Impact Systems

In addition to the above, the following requirements apply to all moderate and high-impact systems.

Moderate- and high-impact systems must use automated mechanisms to determine if system components have applicable security relevant software and firmware updates installed.

Moderate- and high-impact systems must define and implement controls to protect the system memory from unauthorized code execution.

Moderate- and high-impact systems must employ automated tools and mechanisms to support analysis of events.

Moderate- and high-impact systems must define and monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions.

Alerts must notify relevant personnel when indications of compromise or potential compromise occur.

Moderate- and high- impact systems must use integrity verification tools to detect unauthorized changes to the software, firmware, and information.

Response actions must occur when unauthorized changes to the software, firmware, and information are detected.
Integrity checks are to be performed during system startup, restart, and shutdown.
Detection of unauthorized changes to authorized business systems and software is to be processed in accordance with UPPM 87.55.

Moderate- and high-impact systems must implement cryptographic authentication mechanisms to verify the integrity of software or firmware components.

Moderate- and high-impact systems must validate syntax and semantics of system inputs to prevent cyberattacks, such as cross-site scripting and a variety of injection attacks.

4.3 High-Impact Systems

In addition to the above, the following requirements apply to all high-impact systems.

High-impact systems must consider enabling provisions to ensure encrypted communications are visible to WSU monitoring tools and mechanisms.

High-impact systems must automatically alert personnel when indications of inappropriate or unusual activities occur as defined in UPPM 87.50.

High-impact systems must regularly verify the correct operation of security and privacy functions during system transitional states and upon command by a user with appropriate privilege.

High-impact systems must employ automated tools to notify relevant personnel upon discovering discrepancies during integrity verification.

When integrity violations are discovered, high-impact systems are to be configured to automatically shut down, restart, and/or trigger an audit alert.

5.0 Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions: Feb. 2026 (Rev. 651); July 2020 – new policy (Rev. 552)