The Office of Information Security helps the WashU community secure and protect the information created, transmitted, or hosted by the University.  Our risk-assessment process helps us identify the security risks to this information and provide necessary controls to reduce risks for the University.

Helpful Information for Users


We use a third-party application, OneTrust, for a number of these forms. The links below will route you to our OneTrust portal. To connect, please login with your WUSTLKey.


  1. Please be aware that the “Submit” button for your form will not become available until every required question is answered. Saving a completed form will not submit it to our office for review. 
  2. Please provide as much detail as possible in each form. These details help our office accurately complete the risk assessment on the project, system, or study.
  3. Detailed, step-by-step guidance is now available for several forms. Guidance for all forms is currently in development.
  4. Please be aware that the specific language in these forms may undergo minor editing as necessary for better clarity, but the requested information and purpose of the form will remain the same.
  5. If you have questions or need assistance, please contact our office at

DUO Exception Request Form

To enhance our information security, WashU IT will require an approved exception request form for both the Call Me and Passcode authentication methods of WashU Two-Factor Authentication (2FA).

Exception Form

In the policy exception request review process, our team works with the requestor to evaluate the risks that may arise because of the exception.

Incident Report

Departments and schools should use this form when reporting a computer security incident that involves sensitive university information.

IRB Security Review

In the IRB Security Review process, our team works with research coordinators to evaluate security risks involved in the research process.

IT Procurement Vendor Intake Form

We use the IT Procurement Vendor Intake Form to collect pertinent information about prospective vendors and software platforms.

Web Application Risk Assessment

The objective of a Web Application Risk Assessment is to identify potential risks to WashU websites, web applications, or the hosting infrastructure.