UPPM Revision #654

March 11, 2026

This UPPM revision includes the following policies:

87.07 E-Mail Use and Security

WSU and each user of WSU email and systems have an obligation to ensure the security, integrity, and accessibility of records sent or received by email, as well as appropriate use of WSU email systems. To fulfill these obligations, this policy:
 
  • Clarifies the duties of all persons utilizing WSU email accounts, with additional duties for those persons conducting official WSU business;
  • Sets forth requirements to reduce the risk of unauthorized access or disclosure of WSU institutional data; and
  • Helps to ensure that public records are retained and accessible as required by law (see UPPM 90.0190.03, and 90.05).

87.15 Information Security Planning

Comprehensive information system security planning safeguards WSU data, systems, and information technology resources from evolving threats. This policy sets forth roles, responsibilities, and requirements to ensure robust and thorough system security planning, thereby supporting and advancing the University’s academic, research, and administrative missions.

87.17 Vulnerability Management

Establishing uniform requirements for identifying, assessing, and remediating vulnerabilities within WSU’s information systems helps reduce security risks and protects institutional data. This policy supports WSU’s overall information assurance program by defining expectations for vulnerability scanning, reporting, and coordinated remediation efforts across the University.

87.20 Security Assessment and Authorization

Evaluating and authorizing information systems through the use of structured, risk based security assessments helps ensure the security of WSU systems and protects WSU systems and data. This policy establishes roles, responsibilities, and requirements for security assessments and reports, testing, monitoring, and security authorization and reauthorization across the University.

87.21 Security Awareness and Training

To support the integrity of WSU’s technology resources, all WSU personnel must have the knowledge and skills to identify, prevent, and respond to potential security risks. Users handling sensitive data are required to have additional training appropriate to their role. The purpose of this policy is to ensure that all users of WSU email, applications, and other computing resources receive adequate training to understand and adhere to best practices in information security.

87.25 Information Security Risk Assessment

Regular and systematic assessment for potential threats and vulnerabilities, including identifying, analyzing, and prioritizing risks, protects WSU’s information systems and data. This policy sets forth roles, responsibilities, and requirements for information security risk assessments so that appropriate safeguards can be implemented and maintained, thereby strengthening the security of WSU’s IT environment.

87.30 Configuration Management and Change Management

Managing configuration and change activities protects the confidentiality, integrity, and availability of WSU institutional data and information systems. By establishing requirements for consistent configuration and change management practices, this policy provides a framework that enables WSU to maintain secure, reliable, and well managed IT environments.

87.35 Wireless and IoT Security

Wireless networks provide unique advantages but also pose security and administrative challenges that necessitate a high level of technical coordination and adherence to strict requirements. This policy sets forth the roles, responsibilities, and requirements for ensuring the integrity of WSU’s wireless networks.

87.37 Cloud Services, System Development, and Supply Chain Management

Ensuring that third-party systems meet WSU’s security and privacy requirements protects WSU’s IT environment and data. This policy establishes the roles, responsibilities, and requirements for securely acquiring, developing, and managing cloud storage services, information systems, and other components used by WSU.

87.50 Logging And Monitoring

Effective logging and monitoring are essential to protecting WSU’s information systems by enabling the timely detection of security events, misuse, and system anomalies. This policy establishes the requirements for logging and monitoring as well as generating, reviewing, and securing audit records to support operational oversight, incident investigation, and regulatory compliance.

87.55 Information Security Incident Management and Breach Notification

WSU is responsible for ensuring the privacy, confidentiality, integrity, and availability of its information systems, services, devices, and data. Establishing a consistent and coordinated approach to handling security incidents helps to minimize unauthorized access, misuse, loss, destruction, theft of information, and disruption of services that can be caused by information security incidents.
Information gained and lessons learned during the incident response process may improve future responses to incidents, improve training, and help to build institutional resilience. Proper handling of information security incidents may mitigate potential harm to WSU’s:
  • Strategic plan and business objectives; and
  • Financial operations, brand, and reputation.
This policy provides a WSU-wide framework to help facilitate the development and implementation of consistent and coordinated procedures for reporting and responding to information security incidents across the WSU system.
 

87.70 Business Continuity and Disaster Recovery

Business continuity and disaster recovery planning is a critical part of ensuring the security and reliability of WSU’s information systems, as well as the protection of WSU data and information. This policy sets forth roles, responsibilities, and requirements for developing, maintaining, and testing contingency plans.

87.75 Data Retention Backup and Archive

Protecting the confidentiality, integrity, and availability of WSU data and information requires robust data management and backup in accordance with all applicable laws, policies, and standards. This policy sets forth the roles, responsibilities, and requirements for creating and maintaining backup and archived system data.