WashU IT’s Office of Information Security is fostering a strong security culture through policy updates
In support of ImpacT and the call to provide the university community with tools and the knowledge to safeguard and sustain our systems, data, and reputation, the Office of Information Security (OIS) has initiated a complete revision and expansion of the OIS policy library. The goal is to foster a strong security culture at WashU […]
WEBINAR: Exciting Days in the Office of Information Security with CISO, Chris Shull
Curious about attempted cybercrime at WashU? Join our webinar to learn about how WashU protects its users and systems from online threats. Chris Shull, Chief Information Security Officer, will talk about the comprehensive preventive, detective, and responsive defenses we are building in response to the wide range of Information Security challenges we face. One […]
The Office of Information Security (OIS) is Your Ally in the Cybercrime Arms Race
Educational institutions such as WashU are prime targets for cybercriminals who use ever-evolving tactics to infiltrate systems, steal data, block access, and demand ransoms under the threat that they will publish sensitive data online. Universities operating medical centers are especially vulnerable, as they manage large amounts of sensitive patient health data. According to the Ponemon Institute, […]
Chief Information Security Officer (CISO)
Meet Your Infosec Team: Chief Information Security Officer, Chris Shull
On June 1, 2021, Chris Shull assumed the role of Chief Information Security Officer (CISO) for Washington University in St. Louis. He comes to WashU from Huron Consulting Group, which is working on several other projects at WashU. Chris has joined Joe Susai, the CISO for the School of Medicine, and Kevin Hardcastle, Associate CISO […]
Introducing Interim Chief Information Security Officer, Chris Shull
In September, Chris Shull assumed the role of Interim Chief Information Security Officer (CISO) for Washington University in St. Louis. He comes to us from Huron Consulting Group, which is working on several other projects at WashU. Kevin Hardcastle has stepped back from the CISO role, and is working diligently with Chris to advance the […]
WEBINAR: Meet Joe Susai, WUSM Chief Information Security Officer
The Office of Information Security will host a webinar featuring one of our newest IT leaders on the School of Medicine campus, Joe Susai, WUSM chief information security officer (CISO). Susai will share remarks about his new role at the medical school and how he will work with WashU CISO, Kevin Hardcastle, to provide strong […]
Keeping Information Security Simple – Deceptive Layering and Abuse of QR Codes, DocuSign, and PayPal Accounts
Letter from the CISO, Vol 4 Issue 8 WashU Community: A New Year of Opportunities and Approaches Our theme for January is “Celebrating the New Year – from new tech to new approaches, what’s new?” Unfortunately, while we keep deploying better tools to keep everybody safe and secure, cybercriminals are also developing new tricks and […]
New Year, New Security Habits: Refresh Your Digital Life for 2025
Ringing in 2025 is the perfect time to organize our online lives and reflect on our current cybersecurity habits. With cyber threats constantly evolving, conducting a health check on devices, accounts, and habits is essential. The WashU Awareness, Behavior, and Culture (ABC) team has identified five key areas to help us take the first steps […]
Information Security Policy Library Update
The Office of Information Security (OIS) recently completed a major revision and expansion of the OIS policy and standards library. The goal of the project is to foster a strong security culture at WashU through clear and comprehensive coverage of all recommendations in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). All […]
Keeping Information Security Simple – Winter Break Cyber Security Mission
Letter from the CISO, Vol 4 Issue 7 WashU Community: Your mission for the holidays… The Mission Impossible TV series and movies often begin with “Your mission, should you choose to accept it…” As we approach the winter break and holidays, I propose you accept the mission of helping your family and friends improve their […]
Policy 111 Information Security for Software Development, Management, and Administration
This policy establishes secure application development and procurement practices for departments and schools at Washington University in St. Louis (WashU).
Policy 113 Information Security Encryption
This policy specifies acceptable encryption algorithms for use with Washington University in St. Louis (WashU) data, encryption requirements for WashU Confidential and Protected Data, and acceptable key management practices, following recommendations of the National Institute of Standards and Technology (NIST).
Policy 108 Information Security Requests for Access to WashU User Content
This policy describes how OIS handles requests for access to content created by active or former WashU Community members.
Policy 102 Information Security Authentication, Authorization, and Audit
This policy outlines processes for granting, managing, and reviewing access to university systems and data based on user roles during normal and emergency operations.
213 Information Security Encryption
DRAFT This standard establishes security guidelines at the university to protect electronic information from unauthorized access, modification, or loss during storage, transfer, or use.
208 Information Security Handling of Requests for Access to WashU User Content
DRAFT This standard specifies the circumstances in which the OIS facilitates access to user content
during investigations and for the continuation of university activities. Additionally, this standard
communicates typical retention practices for User Accounts and Content.
202 Information Security Identity, Authentication, and Access Control
DRAFT This standard establishes requirements for verifying user identities and authenticating user requests for access to systems and services at Washington University in St. Louis (WashU). This standard also communicates expectations that system managers and administrators must follow to control access to WashU information resources.
111 Information Security for Software Development, Management, and Administration
This policy establishes secure application development and procurement practices for departments and schools at Washington University in St. Louis (WashU).
108 Information Security Requests to Access User Content
This policy describes how the Office of Information Security (OIS) handles requests for access to content created by active or former WashU Community members.
104 Information Security Vulnerability Management
This policy communicates the core principles and objectives for information security vulnerability management, including planning, detection, mitigation, and patching.
Policy 106 Information Security Infrastructure Risk Management
The scope of this policy encompasses all network assets, systems, computing devices, services, and operating personnel.
Policy 105 Information Security Risk Management
The policy describes how the OIS manages technical and process risks to the Confidentiality, Integrity, and Availability (CIA) of WashU information resources.
Policy 104 Information Security Vulnerability Management
The policy communicates core principles and objectives for vulnerability management, including planning, detection, mitigation, and patching.
Policy 103 Information Security Device Management
This policy outlines the security expectations for all devices (e.g., laptops, mobile phones, thumb drives, external hard drives, etc.) that access WashU information resources or store WashU data.
206.1 Network Security
DRAFT This standard establishes a comprehensive framework for protecting WashU’s network infrastructure against threats and vulnerabilities.
206 Server Security
DRAFT This standard establishes a protocol for securing servers within Washington University in St. Louis (WashU).
205 Information Security Risk Management
DRAFT This standard supports Policy 105: Information Security Risk Management by providing a detailed framework for identifying, assessing, mitigating, and managing security risks to the university.
204 Information Security Vulnerability Management
DRAFT This standard establishes a structured approach to identifying, assessing, prioritizing, and mitigating vulnerabilities within the IT infrastructure at Washington University in St. Louis (WashU).
Keeping Information Security Simple – Who are you? The importance of identity verification
Letter from the CISO, Vol 4 Issue 6 WashU Community: Over the past year, malicious actors have increasingly sought to compromise your accounts by impersonating you and trying to get customer service people to give them access to your accounts. We have seen this repeatedly at WashU, too. In response, we have improved our processes […]
Information Security Policy Library Update
In support of ImpacT and the call to provide the university community with tools and the knowledge to safeguard and sustain our systems, data, and reputation, the Office of Information Security (OIS) has initiated a complete revision and expansion of the OIS policy library. The goal is to foster a strong security culture at WashU […]
115 Notice of Monitoring and Information Security Investigative Practices
This policy conveys the commitment of the OIS to the responsible collection, use, and safeguarding of personal information.
Policy 115 Notice of Monitoring and Information Security Investigative Practices
The Notice of Monitoring and Information Security Investigative Practices conveys the commitment of the OIS to the responsible collection, use, and safeguarding of personal information.
Policy 112 Information Security Acceptable Use
The Information Security Acceptable Use Policy outlines expectations for the appropriate use of WashU-provided information resources, ensuring that all WashU Community members understand their responsibilities.
Policy 114 Information Security Exceptions
The Information Security Exceptions Policy clearly communicates how the OIS handles exception requests when compliance with published policies and standards is not possible.
Chief Information Officer (CIO)
Area Specific Compliance Officer (ASCO)
Keeping Information Security Simple – Are you cyber-resilient?
Letter from the CISO, Vol 4 Issue 5 WashU Community: I recently attended an executive education program on “Cyber Resilience” with Chief Information Security Officers (CISOs) from many large organizations, some even global enterprises, and it was amazing how similar our challenges are. Cyber resilience is ensuring things keep working despite adverse cyber incidents The […]
Cybersecurity Awareness Month 2024 Recap
Cybersecurity Awareness Month 2024 is coming to a close. This year, we hosted two webinars, promoted key behaviors to encourage every employee to take control of their online lives, and published weekly newsletters full of content authored by the Office of Information Security. Below, you will find a recap of some of the key events […]
Careers in InfoSec: From Media Development to Building Security Culture
With the highly technical appearance of information security, entering the field may seem daunting. What does it actually take to work in information security? In this series, we’ll cover WashU’s information security professionals and how they got to where they are now. Let me introduce you to my boss, Quint Smith. What is your current […]
Meet Your InfoSec Team: Allison Webster, Information Security Policy Advocate
Allison Webster, our Information Security Policy Advocate, is one of the newest members of the InfoSec team at WashU. In her role, she supports the Awareness, Behavior, and Culture (ABC) program by collaborating on strategies to raise security awareness and communicating InfoSec policies, standards, and guidelines to the WashU community. At Washington University, Allison is […]
InfoSec Alert: Confidential and Protected Information not allowed in Adobe AI Assistant
Use of Adobe’s AI Assistant with any WashU Confidential or Protected Information, including both Personally Identifiable Information (PII) and Protected Health Information (PHI), is not permitted. Due to data retention and use policies of the Adobe AI feature, WashU IT will begin disabling its use on our systems starting next week. The impacted applications are […]
Keeping Information Security Simple – New and Old School Financial Fraud – Dangers of Payment Apps and Paper Checks
Letter from the CISO, Vol 4 Issue 4 WashU Community: Whether you are a leading-edge user of online financial payment apps or a traditionalist who loves a signature on a paper check, malicious actors are out to separate you from your money. In the September 12, 2024 issue of Hacking Humans, “Baked goods and bad […]
October is Cybersecurity Awareness Month
October is Cybersecurity Awareness Month, a global effort to help everyone stay safe and protected when using technology whenever and however you connect. The Office of Information Security is proud to champion this online safety and education initiative this October. All month long, we are promoting these key behaviors to encourage you, our WashU community, […]
Learn About Cybersecurity and Win Big this October
The Office of Information Security is running a competition throughout October for Cybersecurity Awareness Month! WashU staff, faculty, and students can enter to win up to $1,000 in BearBucks. On September 26th, we released an Inside Man-themed game in KnowBe4, ‘The Inside Man: New Recruits Game’. Complete the game to earn an entry into our […]
Keeping Information Security Simple – Securing the most important account you have
Letter from the CISO, Vol 4 Issue 3 WashU Community: As we all return to school and the fall semester, I wanted to emphasize the criticality of securing the most important online account you have. No, not your WashU account! (Although that is important, too.) Rather, it is your humble and largely taken-for-granted personal email […]
Information Security Resources for Students
Welcome back, students! We understand that starting a new semester will be hectic, so we’ve assembled key resources to assist with your security needs. Check out our curated list of advice and guidance to get you started. Device security is essential for protecting your privacy and data. Top-notch device security involves using features built into […]
Keeping Information Security Simple – CrowdStrike’s big goof and the importance of Cyber Hygiene
Letter from the CISO, Vol 4 Issue 2 Washington University Community: Last Friday, all the news was about the millions of Windows computers around the world that had been taken down by a flawed CrowdStrike file update. Starting in the wee hours of Friday morning, systems administrators and computer users everywhere were struggling to boot […]
Keeping Information Security Simple – “How to be a Telephone Fraud Prevention Hero”
Letter from the CISO, Vol 4 Issue 1 Washington University Community: An enormous amount of fraud is still being perpetuated via phone calls even though many people don’t use telephones very much. Cybercriminals seek your credit card or bank account numbers, access to your online bank accounts, and to install malware on your computer. But […]