106 Information Security Infrastructure Risk Management

The following table shows who is responsible for ensuring compliance with the policy requirements listed below.

RequirementAll UsersSystem OwnersNetwork AdministratorsWashU IT /  IT @ WashUDepartments, Schools, and Units
Confer with the OIS to ensure controls are in place and commensurate with the criticality of the system and data (p. 2)   
The confidentiality and integrity of information systems and transmitted information are protected in systems for which the System Owner is responsible (p. 3)    
High-risk information systems use encryption to prevent unauthorized disclosure of information at rest and during transmission (p. 3)     
Activity logs are systematically collected, maintained, and supplied to the OIS (p. 3)     
Network segregation and segmentation will be based on system and data classification (p. 3)     
Logical and physical control will be applied to infrastructure to protect the CIA of WashU information resources (p. 3). 
Access to equipment storage areas, secure areas, and delivery and loading areas will be restricted to authorized personnel, logged, and monitored (p. 4).   
Ensure that appropriate cooling, fire suppression, and redundant power services are in place to maintain the environment in the case of outages (p. 4)    
Security events and incidents affecting WashU infrastructure must be reported to the OIS (p. 4).      
Develop, document, and implement maintenance processes for information systems throughout the lifecycle (p. 4).      
Integrity checking mechanisms will be used to verify hardware integrity (p. 4).      
Security controls based on system and data classifications will be identified, documented, and implemented as appropriate to the criticality of the system. (p. 4). 

Summary of Policy

The policy provides policy directives for protecting the components and systems comprising the WashU information infrastructure from unauthorized access, modification, disclosure, or denial of service. This policy includes information about the following topics:  

  • Protection of system, communication, and control networks 
  • Network segregation and segmentation  
  • Infrastructure physical security (e.g., access control and environmental controls)  
  • System maintenance and repair 

Full Text of Policy

Policy 106 Information Security Infrastructure Risk Management

The scope of this policy encompasses all network assets, systems, computing devices, services, and operating personnel.

Related Information

101 Information Security Status Monitoring, Reporting, and Review

This policy communicates logging requirements for academic, clinical, administrative, research, and technical information security activities at WashU.

104 Information Security Vulnerability Management

This policy communicates the core principles and objectives for information security vulnerability management, including planning, detection, mitigation, and patching.

109 Information Security Incident Reporting, Response, and Recovery

This policy communicates a planned and systematic approach to incident handling from reporting to recovery and analysis.

110 Information Technology Change Control and Management

This policy outlines processes for maintaining the security and integrity of information assets throughout their lifecycles.

200 Information Security Classification, Labeling, and Handling

This standard defines classification categories and control zones for data, information, and systems at Washington University in St. Louis (WashU).

202 Information Security Identity, Authentication, and Access Control

Review and revision of this standard is in progress. Please contact infosec@wustl.edu