The Information Security Office (ISO) will review and identify the applicable security frameworks – International Organization for Standardization, National Institute of Standards and Technology (NIST) Security Controls (SP800-53) and other identified industry standards to be applied and tailored within Washington University (WashU) departments and schools.
Controls will be assigned to create protection levels. Control assignments will be based on the information classification – (protected, confidential and public) and system classification (regulated, business, research, and academic) of the information created, hosted, or transmitted within the universities infrastructure.
NIST SP800-53 Control Families
Access Control (AC)
Awareness and Training (AT)
Audit and Accountability (AU)
Security Assessments (CA)
Configuration Management (CM)
Contingency Planning (CM)
Identification and Authentication (IA)
Incident Response (IR)
Media Protection (MP)
Physical and Environmental Protection (PE)
Personnel Security (PS)
Risk Assessment (RA)
System and Services Acquisition (SA)
System and Communications Protection (SC)
System and Information Integrity (SI)
Wash U Domain of Trust (DOT) Controls Workbook
The One Campus Security Posture Policy was designed to divide/segment the enterprise network into secure network segments or Domains of Trusts (DOT) is a step to create a layered infrastructure. This is consistent with moving security controls closer to the assets (information and infrastructure) they are intended to protect; a DOT implies a level of trust. A level of trust provides assurance to the chief-suite that information is protected by a known and measurable means; the means we consider as controls. Levels of trust suggest levels of assurance as well.
In order to have these assurances it is important for tenants of the trust domain to adhere to the controls established for them.
All Information Technology assets are required by policy to be placed in one of three established trust domains. This workbook will be used to complete any System Security Plan (SSP) in cases where the Information System or IT infrastructure has been classified into a DOT and requires a SSP by regulation, contract, or because risks to the university is high.
The controls in this work book also prescribe the expected protections required within each trust zone.
Wash U 800-53 Low Impact Controls Workbook
A key element of risk-based security, is the idea that defenses should reflect the level of risk to a system. The systems are rated as high, moderate, or low impact depending on the effect a breach of the system would have on the university or agencies mission. High-impact systems should be defended against “high-skilled, highly motivated, and well-resourced” threats, while systems or information that presents less impact can be defended with a lighter set of controls. Agencies and information owners will classify information and state the level of impact to the organization or agency if information is breached; this is typically known as a FIP199 categorization process.
This workbook will be used to complete any System Security Plan in cases where a government agency has designated in the contract the infrastructure/system should be protected at a LOW Impact level.
Wash U 800-171 Control Workbook
NIST 800-171 is a subset of requirements focused on information confidentiality taken directly from the NIST 800-53 publication that specifically apply to Controlled Unclassified Information (CUI) shared by the federal government with a non-federal entity.
The controls protect CUI in non-federal IT systems from unauthorized disclosure. Washington University in conducting research, frequently encounters CUI in carrying out the contracted work for federal agencies. This workbook should be used to complete any System Security Plan in cases where CUI has been designated or is expected to be received or generated during the research effort.
System Security Plan
A System Security Plan (SSP) is a formal plan which documents the controls that have been selected to mitigate the risk of a system or infrastructure. It is a record of adherence to a control framework and defines the plan of action required to mitigate deficiencies. Controls are determined by a risk analysis and often are passed down through agency contracts or applicable laws.
A SSP is implemented in IT environments when required by agency contracts or when impact to information Confidentiality, Integrity, and Availability (CIA) are above university risk tolerance levels.
It is used to protect and control an information system. It also serves as a mechanism to demonstrate compliance to a set of standards and is given to the agency or prime contractors as a means to demonstrate compliance. It is created using the organization/IT environment security framework as the benchmark.
An SSP includes:
- List of authorized personnel/users/entities that can access the system/infrastructure and the authorizations that are permitted on the system
- A description of the system/infrastructure environment
- A definition of the system/infrastructure boundaries that are in scope of the plan and under the control framework.
- Access control methods, or how users will access the system (user ID/password, digital card, biometrics)
- Documented compliance to a control framework
If you are required to have an SSP or it has been determined that you should have one the template is where you should begin. Please consult with Information Security for additional guidance.
Laws and Regulations
HIPAA (Health Insurance Portability and Accountability Act) protected health information exists in three formats within this environment.
1. Designated Record Set stored within the Physicians Billing and Electronic Medical Record Systems and is the official medical record for our clinical patients. This is the focus for applying for Meaningful Use and all risks to this environment will be documented under a Meaningful Use Risk Section of this document.
2. Subsets of the designated record that is used by the administrative functions to assist with billing, financial planning and quality assurance and quality improvement processes and or feeds to our inpatient partner BJC.
3. Datasets that are built in the research environment using inclusion criteria extracted from the medical record and regulated by the Human Rights Protection Office.
FERPA (Family Educational Rights and Privacy Act) is a federal law intended to protect the privacy of student education records accumulated from early childhood through college.
PCI-DSS (Payment Card Industry – Data Security Standards) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
PII (Personally Identifiable Information) 48 State Privacy laws vary in notification and severity but mandate the protection of information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context including social security numbers and other financial related information.
CUI (Controlled Unclassified Information) – Some government information is available to the public. Classified information is defined by Executive Order 13526 (issued December 29, 2009) or the Atomic Energy Act of 1954 and is required to have classified markings and protection against unauthorized disclosure. CUI is information that is not publicly available, does require safeguarding or dissemination controls, but is not classified. Most Government Agencies through their research contracts often specify this information be protected per NIST SP800-171.
There are no forms related to this service.