Policy 103 Information Security Device Management

Print this page

• Purpose
• Applicability and Audience
• Information Security Roles and Responsibilities (100.01)
• Policy
  • 103.00 Introduction
  • 103.01 Universal Device Security
    • Personal Devices
    • Security for Devices Containing Protected Data and Information
    • Connecting Devices to the WashU Network and Accessing Protected Data and Information
  • 103.02 Media
• Policy Compliance
• Related Policies, Standards, and Guidelines
• References
• Policy Review

Purpose 

This policy outlines security expectations for all devices (e.g., laptops, mobile phones, thumb drives, external hard drives, etc.) that access the information resources of Washington University in St. Louis (WashU) and includes specific details for devices handling WashU Protected Data and Information.   

Departments, schools, and units may adopt additional, but not less restrictive, security controls and practices as supplements to this policy as necessary. WashU Community members should check with their department, school, or unit for more information and/or additional policies.

Applicability and Audience  

This policy applies to all computing resources that access university networks, data, systems, and services, or are used in university operations, regardless of ownership. 

This policy affects all WashU Community members with access to WashU Confidential and Protected Information. This includes faculty, staff, students, and any agent of the university, including, but not limited to, partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers. 

All members of the WashU Community should be aware of this policy, including faculty, staff, students, and any agent engaged for contracted services to the university with access to WashU information, systems, and networks. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.

Information Security Roles and Responsibilities (100.01)

Policy

103.00 Introduction  

WashU must ensure the Confidentiality, Integrity, and Availability (CIA) of the information our institution creates, hosts, and transmits. Securing our information resources relies on everyone in the WashU Community. 

103.01 Universal Device Security  

All computers and devices that access university networks, services, systems, and data must have basic security features enabled, regardless of ownership, management, or geographic location. Security controls are applied according to risk. Therefore, WashU may update and require additional device controls as necessary, allowing adaptation to the evolving cyberthreat landscape. 

Refer to Policy 112: Information Security Acceptable Use and Standard 203: Universal Device Management for additional information. Additionally, WashU Community members will adhere to any specific department or school procedures for devices.

Personal Devices  

WashU Community members who choose to use a personal device for university activities must adhere to all applicable information security policies and standards and need to be aware of the following:

• Personal devices may be required for examination in the event of litigation involving the university. Refer to Policy 108: Information Security Requests to Access User Content for further detail.
• Devices should be encrypted in accordance with Standard 213: Information Security Encryption. 

Standard 203: Universal Device Management includes additional information about responsibilities associated with using a personal device.

Security for Devices Containing Protected Data and Information

Protected Data and Information such as Protected Health Information (PHI) and Personally Identifiable Information (PII) is regulated by industry policy and legislation such as the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA) and financial aid information under the Gramm-Leach-Bliley Act (GLBA). Personal devices are not always capable of meeting minimum security requirements for this information.

WashU Community members with access to Protected Data and Information are responsible for taking the following steps to ensure better protection of their data and device:  

• Only devices that are encrypted and receive vendor updates and patches should connect to the WashU network. 
• Meet CIS Benchmarks recommendations for Windows and Mac devices. Other vendor devices are acceptable only if they meet these recommendations.  
• Do not use computer operating systems beyond the manufacturer end-of-life date or submit an exception request documenting compensating controls and a replacement strategy. Refer to Standard 205: Information Security Risk Management for additional information about system end-of-life.  
• Avoid storage of Protected Data and Information on personal devices. If Protected Data and Information must be stored on a personal device, it must be protected by encryption according to Standard 213: Information Security Encryption.

Failure to implement these controls when handling HIPAA-Protected Information will result in sanctions in accordance with the WashU Policy on Sanctions for Non-Compliance with HIPAA Policies.  

Standard 200: Information Security Classification, Labeling, and Handling includes additional information about working with Protected Data and Information.

Connecting Devices to the WashU Network and Accessing Protected Data and Information  

If the device is connected to the WashU and will access Protected Data and Information users must:

• Conform to all WashU policies and protections. Refer to the WashU Compliance Office website for additional information.
• Ensure the device is up to date on all patches and antivirus definitions. 
• Never connect to the university network using unsecured or public Wi-Fi.  
• Always use WashU’s VPN service when connecting to the WashU campus network from remote locations. 

103.02 Media 

Media that store WashU data must be protected from unauthorized access, change, and destruction.  

Refer to Standard 200: Information Security Classification, Labeling, and Handling for additional information about media labeling, handling, access, and disposal.

Policy Compliance

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical, users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, the appropriate Area Specific Compliance Offices, Human Resources, or the Office of Student Conduct.  

Internal Audit will independently review and assess compliance with this policy, reporting findings and recommendations to senior management and the Board of Trustees.

Related Policies, Standards, and Guidelines 

Policy 108: Information Security Requests to Access User Content  

Policy 112: Information Security Acceptable Use  

Standard 200: Information Security Classification, Labeling, and Handling  

Standard 203: Universal Device Management 

Standard 205: Information Security Risk Management 

Standard 213: Information Security Encryption  

References 

Center for Internet Security, Benchmarks List 

National Institute of Standards and Technology (2018) Cybersecurity Framework 

National Institute of Standards and Technology (2020) Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations, Rev. 5

Policy Review 

This policy will be reviewed by the OIS at a minimum of every three years.   

Policy Number and Title: 103 Information Security Device Management  

Owner: Office of Information Security  

Approved By: Cyber Security Executive Advisory Committee

Original Approval Date: June 6, 2024

Current Version Publication Date: November 27, 2024