University Policies and Procedures Manual (previously Business Policies and Procedures Manual)
Network Security
UPPM 87.12
For more information contact:
Information Technology Services
Contents
1.0 Overview and Purpose
1.1 Information Assurance Policies Generally
The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:
- Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
- Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
- Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.
The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:
- Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
- Dictate which security controls are mandatory based upon the categorization level;
- Define the strength, frequency, and formalization of those controls; and
- Influence audit burden and continuous monitoring rigor.
See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.
1.2 Specific Policy Overview and Purpose
Safeguarding the security of WSU’s network infrastructure protects WSU data, ensures the integrity of WSU’s IT environment, and supports WSU’s critical academic, research, and business functions. This policy sets forth the roles, responsibilities, and requirements that relate to the security of WSU’s network.
2.0 Applicability
This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.
Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.
3.0 Roles and Responsibilities
3.1 Chief Information Officer
The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.
3.2 Information Owners
WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.
3.3 Office of Information Security and Assurance (OISA)
WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).
Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.
4.0 Requirements
4.1 Interconnection Agreements
WSU Information Owners, or their delegates, must approve and manage the exchange of information between WSU networks and other systems using WSU interconnection agreements. Interconnection agreements with external (non-WSU) parties must be signed by a WSU employee with properly delegated signature authority.
Each interconnection agreement must document the interface characteristics, security and privacy control requirements, responsibilities for each system, the WSU data classification, and the impact level of the information communicated.
Agreements are to be reviewed and updated on a defined frequency, no longer than once every three (3) years.
4.2 General Requirements
WSU Information System Owners are required to inform local and remote users of the activation of remote collaborative computing devices and applications.
WSU networks are to be protected against denial-of-service events.
WSU must physically or logically separate public-facing systems and components from internal organizational networks. Communications must be controlled and monitored at external WSU network interfaces and at key internal managed interfaces in accordance with UPPM 87.50.
WSU must only connect to external networks or systems through managed interfaces consisting of boundary protection devices arranged in accordance with WSU’s security and privacy architecture.
Internet of Things (IoT) devices are to only be connected to a segregated and controlled network segment in accordance with UPPM 87.35.
WSU must use redundant domain name systems (DNS), provide a means to assure the authenticity and integrity of DNS response data, and implement internal and external DNS role separation.
Network resources are to be maintained in accordance with UPPM 87.30.
Access to WSU Networks is to be in accordance with UPPM 87.05.
Physical access to telecommunications infrastructure space and equipment is to be in accordance with UPPM 87.62.
WSU Networks are to be updated in accordance with UPPM 87.40.
Incidents of unauthorized or unusual network activity must be documented and reported in accordance with UPPM 87.55.
4.3 Moderate- and High-Impact Systems
In addition to the above, the following requirements apply to all moderate- and high-impact systems.
WSU networks that support moderate- and high-impact systems are to employ mechanisms to prevent unauthorized and unintended information transfer via shared system resources.
Networks that support moderate- or high-impact systems must:
- Limit external network connections;
- Filter unauthorized control plane traffic;
- Deny network communications traffic by default and allow network communications traffic by exception for selected interfaces and/or systems;
- Prevent split tunneling;
- Route area-selected internal communications to external networks through authenticated proxy servers;
- Ensure authenticity of communication sessions using encryption and secure protocols; and
- Automatically end sessions or connections after a defined period.
Networks that support moderate- or high-impact systems must protect the confidentiality and integrity of transmitted information and implement cryptographic mechanisms to prevent unauthorized disclosure of information in accordance with UPPM 87.33.
Networks that support moderate- or high-impact systems must define information flow control policies that enforce authorizations to control the flow of information between connected systems.
4.4 High-Impact Systems
In addition to the above, the following requirements apply to all high-impact systems.
For high-impact systems, Information System Owners, or their delegates, must employ boundary protection mechanisms to isolate area-defined components that support missions and or business functions.
For networks that support high-impact systems, Information System Owners, or their delegates, must implement measures to prevent systems from entering vulnerable or unsecure states in the event of an operational failure.
Networks that support high-impact systems must:
- Prevent encrypted information from bypassing information flow control mechanisms;
- Ensure that only authorized individuals or systems are allowed to transfer information between systems prior to accepting data; and
- Authorize network access to privileged commands according to documented operational needs in the system security plan.
5.0 Training
See UPPM 87.21 for training requirements related to UPPM Chapter 87.
In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.
_______________________
Revisions: Feb. 2026 (Rev. 651); Feb. 2020 – reviewed; Sept. 2003 (Rev. 14); Aug. 2002 – new policy (Rev. 12)