{"id":43522,"date":"2020-06-24T10:38:04","date_gmt":"2020-06-24T17:38:04","guid":{"rendered":"https:\/\/policies.wsu.edu\/prf\/?page_id=43522"},"modified":"2026-02-20T16:22:32","modified_gmt":"2026-02-21T00:22:32","slug":"bppm-87-10","status":"publish","type":"page","link":"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-10\/","title":{"rendered":"87.10 Electronic Device (Endpoint) Security"},"content":{"rendered":"\n<h1 class=\"wp-block-heading wsu-font-size--xxmedium\">University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Electronic Device (Endpoint) Security<\/h2>\n\n\n<div class=\"wsu-row wsu-row--single\" >\r\n    \n<div class=\"wsu-column\"  style=\"\">\r\n\t\n\n<p><strong>UPPM 87.10<\/strong><\/p>\n<p><strong>For more information contact:<\/strong><br \/>\u00a0 \u00a0<a href=\"https:\/\/its.wsu.edu\/how-can-we-help-contact-its\/\">Information Technology Services<\/a><\/p>\n<hr \/>\n<div id=\"toc_container\">\n<h3>Contents<\/h3>\n<ul class=\"toc_list\">\n<li><a href=\"#One_0\">1.0 \u00a0\u00a0 Overview and Purpose<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#One_1\">1.1 \u00a0\u00a0 Information Assurance Policies Generally<\/a><\/li>\n<li><a href=\"#One_2\">1.2 \u00a0\u00a0 Specific Policy Overview and Purpose<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Two_0\">2.0 \u00a0\u00a0 Applicability<\/a><\/li>\n<li><a href=\"#Three_0\">3.0 \u00a0\u00a0 Roles and Responsibilities<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Three_1\">3.1 \u00a0\u00a0 Chief Information Officer<\/a><\/li>\n<li><a href=\"#Three_2\">3.2 \u00a0\u00a0 Information Owners<\/a><\/li>\n<li><a href=\"#Three_3\">3.3 \u00a0\u00a0 Office of Information Security and Assurance (OISA)<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Four_0\">4.0 \u00a0\u00a0 Requirements<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Four_1\">4.1 \u00a0\u00a0 WSU-Owned Endpoints<\/a><\/li>\n<li><a href=\"#Four_2\">4.2 \u00a0\u00a0 Employee-Owned Endpoints<\/a><\/li>\n<li><a href=\"#Four_3\">4.3 \u00a0\u00a0 Digital Endpoint Security<\/a><\/li>\n<li><a href=\"#Four_4\">4.4 \u00a0\u00a0 Physical Endpoint Security<\/a><\/li>\n<li><a href=\"#Four_5\">4.5 \u00a0\u00a0 Moderate- and High-Impact Systems<\/a><\/li>\n<li><a href=\"#Four_6\">4.6 \u00a0\u00a0 WSU Information Datasets<\/a><\/li>\n<li><a href=\"#Four_7\">4.7 \u00a0\u00a0 Public Records<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Five_0\">5.0 \u00a0\u00a0 Training<\/a><\/li>\n<li><a href=\"#Six_0\">6.0 \u00a0\u00a0 Resources and Related Policies<\/a><\/li>\n<\/ul>\n<\/div>\n<h3 id=\"One_0\">1.0 Overview and Purpose<\/h3>\n<h4 id=\"One_1\">1.1 Information Assurance Policies Generally<\/h4>\n<p>The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:<\/p>\n<ul>\n<li>Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;<\/li>\n<li>Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and<\/li>\n<li>Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.<\/li>\n<\/ul>\n<p>The policies in this chapter comply with Federal Information Processing Standards (<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/fips\/nist.fips.199.pdf\">FIPS 199<\/a>), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:<\/p>\n<ul>\n<li>Define WSU Information Owners\u2019 impact categorization rating (Low, Moderate, or High);<\/li>\n<li>Dictate which security controls are mandatory based upon the categorization level;<\/li>\n<li>Define the strength, frequency, and formalization of those controls; and<\/li>\n<li>Influence audit burden and continuous monitoring rigor.<\/li>\n<\/ul>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-01\/\">UPPM 87.01<\/a> for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.<\/p>\n<h4 id=\"One_2\">1.2 Specific Policy Overview and Purpose<\/h4>\n<p>The security of endpoints, including but not limited to smartphones, tablets, and computers, is critical to protect institutional data and prevent unauthorized access and other security threats to WSU systems. This policy sets forth requirements for the use of WSU-owned or employee-owned endpoints for the purpose of creating, storing, transmitting, and protecting institutional data.<\/p>\n<h3 id=\"Two_0\">2.0 Applicability<\/h3>\n<p>This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.<\/p>\n<p>Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-23\/\">UPPM 87.23<\/a>.<\/p>\n<h3 id=\"Three_0\">3.0 Roles and Responsibilities<\/h3>\n<h4 id=\"Three_1\">3.1\u00a0 Chief Information Officer<\/h4>\n<p>The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.<\/p>\n<h4 id=\"Three_2\">3.2 Information System Owners<\/h4>\n<p>WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy&#8217;s implementation.\u00a0<\/p>\n<h4 id=\"Three_3\">3.3 Office of Information Security and Assurance (OISA)<\/h4>\n<p>WSU\u2019s Office of Information Security and Assurance (OISA) shall maintain the <a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/endpoint-security-standard.pdf\"><u>standard (PDF)<\/u><\/a><u>\u00a0<\/u>associated with this policy and provide guidance for the associated procedures for the implementation of this policy (<a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/endpoint-security-procedure.pdf\">see examples (PDF)<\/a>).<\/p>\n<p><strong>Note:<\/strong> While all units are required to adhere to the standard established by OISA (<a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/53\/r5\/upd1\/final\">NIST SP 800-53<\/a>), procedural examples for implementation are optional.<\/p>\n<h3 id=\"Four_0\">4.0 Requirements<\/h3>\n<h4 id=\"Four_1\">4.1 WSU-Owned Endpoints<\/h4>\n<p>When technically feasible, Information System Owners are to ensure that WSU-owned endpoints display a system use notification or banner to users prior to granting access to the system.<\/p>\n<p>Only approved operating systems may be supported on WSU-owned endpoints.\u00a0 Any attempt to circumvent built-in operating system security controls is prohibited.<\/p>\n<p>A WSU Information Owner, or their delegate, must be assigned for all WSU-owned endpoints, including mobile endpoints. If an Information Owner cannot be determined for an endpoint, the endpoint is to be decommissioned in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-72\/\">UPPM 87.72<\/a>.<\/p>\n<p>A centrally managed WSU endpoint management solution must be used.<\/p>\n<p>Once a WSU Information System Owner, or their delegate, has determined that the endpoint is no longer necessary, it must be decommissioned, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-72\/\">UPPM 87.72<\/a>.<\/p>\n<p>Only approved software applications are to be installed on WSU-owned endpoints in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-30\/\">UPPM 87.30<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-32\/\">87.32<\/a>.<\/p>\n<p>Each WSU-owned endpoint must run the latest tested, approved, and updated software for endpoint operating systems as well as all applications installed on the endpoint, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">UPPM 87.40<\/a>.<\/p>\n<p>All WSU-owned endpoints are to use:<\/p>\n<ul>\n<li>Endpoint protection software that includes the capability to detect and remove malicious code, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-42\/\">UPPM 87.42<\/a>; and<\/li>\n<li>Malicious code protection mechanisms that are automatically updated whenever new releases are available, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">UPPM 87.40<\/a>.<\/li>\n<\/ul>\n<p>Information System Owners, or their delegates, are responsible for maintaining an inventory of allowed applications within their environments.<\/p>\n<p>WSU-owned endpoints are to be configured to automatically lock after a period of inactivity, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-03\/\">UPPM 87.03<\/a>.<\/p>\n<p>All WSU System-owned endpoints must require user authentication prior to use in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-03\/\">UPPM 87.03<\/a>.<\/p>\n<h5 id=\"Four_1_a\">4.1.a\u00a0 \u00a0User Accounts<\/h5>\n<p>WSU endpoint users may access WSU institutional data from WSU-owned endpoints. In no circumstance may this data be generated, stored, or transmitted to data storage systems outside the control of WSU, except:<\/p>\n<ul>\n<li>As covered by existing contract with that vendor; or<\/li>\n<li>As specifically allowed as part of assigned job duties; and<\/li>\n<li>When doing so is not a violation of WSU policy or state or federal law and is managed in accordance with UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-15\/\">87.15<\/a>, <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">87.40<\/a>, and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-53\/\">87.53<\/a>.<\/li>\n<\/ul>\n<p>All WSU user accounts utilized on WSU endpoints are to be based upon the principle of &#8220;least privilege,&#8221; in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-03\/\">UPPM 87.03<\/a>.<\/p>\n<p>WSU endpoint users may not be granted direct administrative\/root level access to WSU-owned endpoints. When official job role functions require administrator\/root level access, a separate user account must be created for this purpose. As with other user accounts, these separate administrative\/root level accounts are to be authorized, inventoried, and utilized in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-03\/\">UPPM 87.03<\/a>.<\/p>\n<p>Generic administrator or privileged user accounts must never be directly used to access a WSU-owned endpoint except in the case of a documented emergency on the system.<\/p>\n<p>By accessing or using WSU-owned endpoints, WSU employees consent to routine monitoring of data stored, processed, transmitted, or otherwise used on the endpoint system, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">UPPM 87.40<\/a>.<\/p>\n<h4 id=\"Four_2\">4.2 Employee-Owned Endpoints<\/h4>\n<p>WSU Information Owners, or their delegates, may allow the use of employee-owned endpoints to access WSU data if:<\/p>\n<ul>\n<li>The endpoints comply with WSU\u2019s security and privacy control requirements;<\/li>\n<li>WSU data is maintained and backed up using a WSU-managed backup solution; and<\/li>\n<li>The employee-owned endpoint is enrolled in a WSU-managed endpoint management solution with remote-wipe capability of WSU managed data.<\/li>\n<\/ul>\n<p>Use of employee-owned endpoints on WSU networks is a privilege and may be revoked by the appropriate business unit (WSU Information Owner, or their delegate) for any reason.<\/p>\n<p>Employee-owned endpoints with compromised security controls (<em>i.e.,<\/em> operating system security controls that have been circumvented) are prohibited from accessing WSU resources, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">UPPM 87.40<\/a>.<\/p>\n<p>All employee-owned endpoints that access WSU data must be configured to utilize whole-disk encryption on the endpoint, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-33\/\">UPPM 87.33<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">87.40<\/a>.<\/p>\n<h4 id=\"Four_3\">4.3 Digital Endpoint Security<\/h4>\n<p>All endpoints used to store, process, transmit, or otherwise use WSU data are required to be secured and managed by a WSU-managed endpoint management solution with remote-wipe capability of WSU managed data in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-30\/\">UPPM 87.30<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-72\/\">87.72<\/a>.<\/p>\n<p>Logging and monitoring must be enabled on WSU-owned endpoint systems in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-50\/\">UPPM 87.50<\/a>, <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-12\/\">87.12<\/a>, and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">87.40<\/a>.<\/p>\n<p>Information System Owners, or their delegates, must document and maintain a System Security Plan (SSP) for WSU-owned endpoints, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-15\/\">UPPM 87.15<\/a>.<\/p>\n<p>The SSP must include the security controls implemented on the endpoints to protect the confidentiality, integrity, availability, and privacy of WSU information. Selected controls must be based upon the classification of the data that is stored, processed, transmitted, or otherwise used by the endpoint, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-53\/\">UPPM 87.53<\/a>.<\/p>\n<p>WSU Information System Owners, or their delegates, are to establish, document, and maintain baseline configuration requirements and security controls for WSU-owned endpoints, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-30\/\">UPPM 87.30<\/a>. Baselines must be based upon the principle of &#8220;least functionality.&#8221;<\/p>\n<p>Endpoint devices must have WSU data backed up using a WSU-managed backup solution, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-70\/\">UPPM 87.70<\/a>. WSU is not responsible for conducting system- or user-level backups of non-WSU data on employee-owned endpoints. (See also <a href=\"#Five_2\">Section 5.2<\/a>.)<\/p>\n<p>Vulnerability scans are to be performed on a regular basis on WSU moderate- and high- impact endpoints, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-17\/\">UPPM 87.17<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-25\/\">87.25<\/a>.<\/p>\n<p>Remote administration must be performed in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-51\/\">UPPM 87.51<\/a>.<\/p>\n<h4 id=\"Four_4\">4.4 Physical Endpoint Security<\/h4>\n<h5 id=\"Four_4_a\">4.4.a\u00a0 \u00a0Travel to High-Risk Areas<\/h5>\n<p>WSU employees known to be travelling to high-risk areas external to WSU (<em>e.g.,<\/em> foreign countries) with moderate- or high-impact endpoints, are to be issued systems or components by the WSU area unit with configurations and controls to counter any increased threat. (See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-95-53\/\">UPPM 95.53<\/a> for international travel policy information, including export controls and specific requirements for federally-funded researchers.)<\/p>\n<p>See the following websites for security tips for international travel:<\/p>\n<ul>\n<li><a href=\"https:\/\/orso.wsu.edu\/export-control-regulations\/\">Office of Research and Support Operations (ORSO) Export Control Regulations<\/a><\/li>\n<li><a href=\"https:\/\/ora.wsu.edu\/export-controls\/\">Office of Research Assurances (ORA) Export Control Regulations<\/a><\/li>\n<li><a href=\"https:\/\/its.wsu.edu\/documents\/2022\/04\/security-tips-for-international-travel-pdf.pdf\/\">Information Technology Services (ITS) Electronic Device Security Tips for International Travel<\/a><\/li>\n<\/ul>\n<h5 id=\"Four_4_b\">4.4.b\u00a0 \u00a0Visiting Third-Party Entities<\/h5>\n<p>The appropriate WSU Information System Owner, or their delegate, must:<\/p>\n<ul>\n<li>Provide authorization to any visiting third-party entity, (e.g. vendor, supplier, etc.) to allow them access to WSU-managed network resources; and<\/li>\n<li>Escort the visiting third-party entity.<\/li>\n<\/ul>\n<p>This requirement does not apply to access to the guest wireless network, which provides visitors with general access to the internet.<\/p>\n<h5 id=\"Four_4_c\">4.4.c\u00a0 \u00a0Lost and Stolen Endpoints<\/h5>\n<p>Employees are to report any lost or stolen WSU-owned endpoint to the WSU Pullman Information Technology Services (ITS) Security Operations Center (SOC) as soon as possible in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-55\/\">UPPM 87.55<\/a>.<\/p>\n<p>Physical security controls are to be implemented for all WSU-owned endpoints, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-62\/\">UPPM 87.62<\/a>.<\/p>\n<h4 id=\"Four_5\">4.5 Moderate- and High-Impact Systems<\/h4>\n<p>Moderate- and high-impact WSU-owned endpoints that access WSU data must be configured to utilize whole-disk encryption on the endpoint, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-33\/\">UPPM 87.33<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">87.40<\/a>.<\/p>\n<p>Moderate- and high-impact WSU systems must implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.<\/p>\n<h4 id=\"Four_6\">4.6 WSU Information Datasets<\/h4>\n<p>WSU Information System Owners, or their delegates, must work with WSU Information Owners, or their delegates, to identify and document all WSU internal, confidential, and regulated information datasets that are approved to be stored, processed, transmitted, or otherwise used on endpoints, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-15\/\">UPPM 87.15<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-53\/\">87.53<\/a>.<\/p>\n<p>WSU data and communications created, sent, received, or stored on WSU-owned or employee-owned endpoints are the property of WSU and are considered WSU information, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">UPPM 87.40<\/a>.<\/p>\n<h4 id=\"Four_7\">4.7 Public Records<\/h4>\n<p>WSU is obligated to preserve and make available to the public all records containing information relating to WSU business that are prepared, owned, used, or retained by the University, unless the record is exempt (see <a href=\"https:\/\/app.leg.wa.gov\/rcw\/default.aspx?cite=42.56\">RCW 42.56<\/a> and <a href=\"https:\/\/app.leg.wa.gov\/wac\/default.aspx?cite=504-45\">WAC 504-45<\/a>).<\/p>\n<p>Public records formats include, but are not limited to, documents, texts, phone calls, voicemail, email, instant messaging, calendars, photos, and videos.<\/p>\n<p>By using WSU- or employee-owned endpoints to conduct WSU business, employees understand and acknowledge this obligation, in accordance with WSU\u2019s records management and public records policies, UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-90-01\/\">90.01<\/a>, <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-90-03\/\">90.03<\/a>, <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-90-05\/\">90.05<\/a>, <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-90-06\/\">90.06<\/a>, <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-90-07\/\">90.07<\/a>, and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-90-12\/\">90.12<\/a>. (See also Policies, Records, and Forms <a href=\"https:\/\/policies.wsu.edu\/prf\/records-retention-and-disposition\/\">Records Retention and Disposition<\/a>.)<\/p>\n<h3 id=\"Five_0\">5.0 Training<\/h3>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a> for training requirements related to UPPM Chapter 87.<\/p>\n<p>In addition to the requirements in <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a>, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner\u2019s authority.<\/p>\n<h3 id=\"Six_0\">6.0 Resources and Related Policies<\/h3>\n<ul>\n<li><a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-90-01\/\">UPPM 90.01<\/a>: University Records-Retention and Disposition Policy<\/li>\n<li><a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-95-53\/\">UPPM 95.53<\/a>: International Travel Policy<\/li>\n<\/ul>\n<hr \/>\n<p style=\"font-size: .8rem\">_______________________<br \/><strong>Revisions:<\/strong>\u00a0 Feb. 2026 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-651\/\">651<\/a>); June 2020 &#8211; new policy (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-549\/\">549<\/a>)<\/p>\n\n<\/div>\r\n\n<\/div>","protected":false},"excerpt":{"rendered":"<p>University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual) Electronic Device (Endpoint) Security<\/p>\n","protected":false},"author":1061,"featured_media":0,"parent":50633,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"wsuwp_university_location":[],"wsuwp_university_org":[],"_links":{"self":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/43522"}],"collection":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/users\/1061"}],"replies":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/comments?post=43522"}],"version-history":[{"count":29,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/43522\/revisions"}],"predecessor-version":[{"id":69985,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/43522\/revisions\/69985"}],"up":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/50633"}],"wp:attachment":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/media?parent=43522"}],"wp:term":[{"taxonomy":"wsuwp_university_location","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_location?post=43522"},{"taxonomy":"wsuwp_university_org","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_org?post=43522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}