ISO Services

Submit a ticket to request the services listed below.

Vulnerability Scans

The scanner is capable of meeting all the requirements outlined for RA-5 priorities low, medium, high. The appliance performs assessments against system security policies and identifies vulnerabilities with CVE scoring. It has customizable templates that measure compliance with SOX, PCI DSS, HIPAA, ISO 27002, FISMA, and FDCC (Federal Desktop Core Configuration) baseline. It supports content that follows XCCFD, OVAL, and SCAP (Security Content Automation Protocol).Compliance with the security policies can be stored and tracked within the asset manager capability. Periodic assessments, credentialed or not, can be done manually or scheduled. Correlation of known threats can be made against assets that have had their vulnerabilities assessed within the manager. Remediation’s can then be quickly applied. Credentialed based scans are available for Microsoft Windows, Unix/Linus, Cisco IOS and VMware platforms.

There is a documented process in place to perform these assessments. The results of the scan are evaluated by Information Security Office (ISO) staff with knowledge of the system environment, data, and operational use. The risk of any vulnerability is weighed against this background and based on that a remediation plan is established.   Results are discussed and shared with system administrators.

Web Scans

The ISO provides a web vulnerability scan on WashU websites as requested.  The ISO recommended scanning all websites that will contain PHI. The web scan may be setup for passive, active or user-directed scanning.  The results of the scan are evaluated by ISO staff with knowledge of the system environment, data, and operational use. The risk of any vulnerability is weighed against this background and based on that a remediation plan is established.   Results are discussed and shared with system administrators.

SIEM

The SIEM as well as other tools gives an aggregate view the operational posture.  The SIEM in particular, can be used to identify threats, monitor access, and demonstrate compliance.  The University benefits from a quicker response time to problems, and an additional second set of eyes on their critical applications, better incident response and regulatory compliance and overall service.

Training

The ISO provides training for faculty, staff and students as requested.  The training will be customized to meet the needs for the department or school.

IRB Information Security Review

We will need the following information to begin the assessment:

  1. Study Number and/or Name
  2. Identify what ePHI, PII (electronic protected health information, personally identifiable information) data elements you will be collecting, storing or transmitting
  3. Identify where the ePHI, PII will be created, stored or transmitted (network share, workstation, laptop, USB drive, external site – provide product name and vendor) If a vendor is used, is a Business Associate’s Agreement in place?
  4. How is the ePHI, PII protected (password protected document, encrypted USB Drive, Secure Transmission)
  5. Are you using social media for outreach? If so, how is this addressed in your Informed Consent?
  6. Will the information be stored on a WUSM supported device
  7. What is the submission date?
  8. Identify the outside sponsor for this study (e.g. Pharmacia, Pfizer)?
  9. Identify if this a multicenter study? If yes, this is a multicenter study, which center will host the data? What type of data will be hosted by the data coordinating site (identifiable, limited data set, de-identified)?
  10. Will a survey be used in the study? If so, who will host the survey and where will the data be stored? Please provide a copy of the survey.