Information Security Policy

Statement of Policy

Washington University in St. Louis (WashU) is committed to conducting all university activities in compliance with all applicable laws, regulations and university policies. WashU has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.

Objective

To provide management direction and support for the information security program in accordance with university requirements, relevant laws and regulations.

Policy

Information security is the protection of electronic information from threats in order to ensure business continuity for WashU, minimize risks, and maximize university opportunities.

The Information Security Office (ISO) will manage the information security program at WashU. Information security is not the purview of any one functional group.  Cooperation from all schools and departments is required to secure the environment and satisfy compliance requirements.  The ISO will engage with the schools and departments to support the mission of clinical, research and academic excellence by ensuring that the information system assets and data is protected at a level commensurate with their classification, sensitivity and criticality of information.  The information system assets and data must be consistently and appropriately protected, regardless of their stage in the life cycle from origination to destruction.

The ISO will work with liaisons from WashU departments and schools to develop and maintain administrative, technical, and physical safeguards to protect confidentiality, integrity and availability of the information systems assets, regulated and confidential information.  Members of the workforce are responsible for the information and assets that they receive, store, utilize and transmit. The ISO will monitor and review the safeguard measures and controls and will take into consideration any changes in the law, industry regulations, technology, WashU policies, standards, guidelines and procedures.

References

Policy Review and Approval Guidelines
Security Liaison Roles and Responsibilities Guidelines
Security Management Guidelines
Security Awareness and Training Guidelines
Policy Exception Handling Process
Policy Exception Request Form

Title: Information Security Policy
Version Number: 2.0
Creation Date: November 15, 2007
Applicability: Information Security Office
Reference Number: 01.01
Status: Final
Revision Date: April 6, 2016
Policy Owner:  Information Security Office
Review Date: April 6, 2017