University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

UPPM 87.55

For more information contact:
   Information Technology Services

---

1.0    Overview and Purpose

1.1    Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

• Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
• Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
• Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.

To determine the potential consequence of a loss event, the Federal Information Processing Standards:

• Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
• Dictate which security controls are mandatory based upon the categorization level;
• Define the strength, frequency, and formalization of those controls; and
• Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2    Specific Policy Overview and Purpose

WSU is responsible for ensuring the privacy, confidentiality, integrity, and availability of its information systems, services, devices, and data. Establishing a consistent and coordinated approach to handling security incidents helps to minimize unauthorized access, misuse, loss, destruction, theft of information, and disruption of services that can be caused by information security incidents.

Information gained and lessons learned during the incident response process may improve future responses to incidents, improve training, and help to build institutional resilience. Proper handling of information security incidents may mitigate potential harm to WSU’s:

• Strategic plan and business objectives; and
• Financial operations, brand, and reputation.

This policy provides a WSU-wide framework to help facilitate the development and implementation of consistent and coordinated procedures for reporting and responding to information security incidents across the WSU system.

2.0    Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0    Roles and Responsibilities

3.1    Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2    Information System Owners

Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation. 

3.3    Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0    Requirements

4.1    General

Information System Owners, or their delegates, are accountable and responsible for appropriately responding to information security incidents that may adversely affect the confidentiality, integrity, and/or availability of institutional systems, services, and data under their care, as required by institutional policies and all applicable laws and regulations.

All WSU business units are to:

• Distribute this policy to their workforce members;
• Develop and distribute an incident response plan, in coordination with WSU Security Operation Center’s (SOC) Incident Response Plan, for incident handling that includes preparation, detection and analysis, containment, eradication, and recovery;
• Provide annual security incident response training, appropriate for workforce member roles and responsibilities, that is reviewed and updated regularly;
• Conduct incident response training of high-impact systems that use automated methods and incorporate real-world simulated events;
• Coordinate incident response procedures with related plans, including Business Continuity and Disaster Recovery plans;
• Test incident response procedures annually for moderate- and high-impact information systems, services, and data under their purview to determine the effectiveness of the incident response process;
• Develop and maintain a process to document and track security incidents for institutional systems, services, and data under their care;
• Use automated methods to track and correlate incidents involving high-impact systems; and
• Incorporate lessons learned from incidents into improvements in procedures, training, and testing.

4.2    Information Security Incident Reporting

All information security incidents involving institutional systems, services, devices, and data are to be reported by e-mail or telephone as soon as practicable after discovery to the WSU Pullman Information Technology Services (ITS)─Security Operations Center; e-mail abuse@wsu.edu; telephone 509-335-0404.

Security incidents involving moderate or high-impact systems are to be reported by WSU e-mail to abuse@wsu.edu. Only authorized systems are to be used to report security or privacy incidents. Call the Security Operations Center if WSU email is unavailable at 509-335-0404. 

Information pertaining to incident response support for moderate and high-impact systems is to be supplemented and kept available by automated mechanisms (e.g., automated ticketing system, dashboards, etc.).

All information security incidents involving an unauthorized or potential disclosure, loss, theft, or misuse of WSU confidential and/or regulated information (see UPPM 87.01) are to be escalated immediately after discovery to the Tier 1 Executive Triage team (see the Tiered Delegated Authority table below).  This includes WSU confidential or regulated information wherever it is stored, processed, or transmitted, including but not limited to:

• Endpoints (as defined in UPPM 87.10);
• Vendor hosted and cloud services; and
• Printed hard copies.

Various state and federal laws and regulations may contain specific security incident and data breach reporting requirements (e.g., FERPA, HIPAA, GDPR, GLBA, PCI, CJIS, RCW 42.56.590, and RCW 19.255.010). Security incident and data breach reporting processes must be compliant with all applicable policies, laws, regulations, standards, and contractual obligations.

4.3    Tiered Delegated Authority for Information Security Incident and Breach Response 

On behalf of the WSU, the following roles (see table below) have been delegated authority for the oversight and coordination of information security incident and breach response efforts, to include:

• Complying with applicable breach notification laws, regulations, and contractual obligations.
• Coordinating with WSU compliance offices, subject matter experts, and resources as appropriate; and
• Coordinating with third parties (e.g., insurance carriers, vendors, law enforcement agencies, or other subject matter experts who may be providing incident response services).

Tier 1: Executive Triage Team

Purpose: Initial triage, risk assessment, and strategic decision-making for potential or emerging incidents.

Tier 1 Delegated Authority

Chief Information Security Officer (CISO)

Chief Compliance and Risk Officer (CCRO)

Chief Privacy Officer (CPO)

WSU Division of the Office of the Attorney General (AGO) (advisory only)

Tier 2: Cross-Functional Response Team

Purpose: Manage incidents that require multi-disciplinary coordination beyond the executive triage team.

Tier 2 Delegated Authority

WSU Office of the President/Chief of Staff

Chief Information Officer (CIO)

Office of Marketing and Communications (MARCOM)

Office of the Provost and/or College

Office of External Affairs and Governmental Relations

Office of Finance and Operations

WSU Police Department

Office of Research

Office of Student Affairs

Office of International Programs

Office of Human Resources

VP for University Advancement (WSU Foundation and Alumni Association)

Interim Director of Intercollegiate Athletics

Senior Vice Provost for Health Sciences

Academic Outreach and Innovation

Chief Audit Executive

Office of the Chancellor

Other (faculty, staff, or 3rd party subject matter experts)

Tier 3: Crisis Response and Escalated Support

Purpose: Respond to high-severity incidents with widespread impact, legal liability, regulatory exposure, or reputational risk.

Tier 3 Delegated Authority

State and Federal Regulatory Bodies

State Attorney General’s Office (AGO)

WaTech and Other State-Level Technology Partners

Cyber Insurance Carrier and Broker

Third-Party Digital Forensics and Incident Response (DFIR) Firms

Law Enforcement – Including local police, state agencies, FBI, or DHS

Cloud and SaaS Providers

5.0     Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions: March 2026 (Rev. 654); Mar. 2022 – new policy (Rev. 589)