106 Information Security Infrastructure Risk Management
The following table shows who is responsible for ensuring compliance with the policy requirements listed below.
| Requirement | All Users | System Owners | Network Administrators | WashU IT / IT @ WashU | Departments, Schools, and Units |
|---|---|---|---|---|---|
| Confer with the OIS to ensure controls are in place and commensurate with the criticality of the system and data (p. 2) | ✔ | ✔ | ✔ | ✔ | |
| The confidentiality and integrity of information systems and transmitted information are protected in systems for which the System Owner is responsible (p. 3) | ✔ | ✔ | |||
| High-risk information systems use encryption to prevent unauthorized disclosure of information at rest and during transmission (p. 3) | ✔ | ||||
| Activity logs are systematically collected, maintained, and supplied to the OIS (p. 3) | ✔ | ||||
| Network segregation and segmentation will be based on system and data classification (p. 3) | ✔ | ||||
| Logical and physical control will be applied to infrastructure to protect the CIA of WashU information resources (p. 3). | ✔ | ✔ | ✔ | ✔ | ✔ |
| Access to equipment storage areas, secure areas, and delivery and loading areas will be restricted to authorized personnel, logged, and monitored (p. 4). | ✔ | ✔ | ✔ | ||
| Ensure that appropriate cooling, fire suppression, and redundant power services are in place to maintain the environment in the case of outages (p. 4) | ✔ | ✔ | |||
| Security events and incidents affecting WashU infrastructure must be reported to the OIS (p. 4). | ✔ | ||||
| Develop, document, and implement maintenance processes for information systems throughout the lifecycle (p. 4). | ✔ | ||||
| Integrity checking mechanisms will be used to verify hardware integrity (p. 4). | ✔ | ||||
| Security controls based on system and data classifications will be identified, documented, and implemented as appropriate to the criticality of the system. (p. 4). | ✔ | ✔ | ✔ | ✔ | ✔ |
Summary of Policy
The policy provides policy directives for protecting the components and systems comprising the WashU information infrastructure from unauthorized access, modification, disclosure, or denial of service. This policy includes information about the following topics:
- Protection of system, communication, and control networks
- Network segregation and segmentation
- Infrastructure physical security (e.g., access control and environmental controls)
- System maintenance and repair
Full Text of Policy
Policy 106 Information Security Infrastructure Risk Management
The scope of this policy encompasses all network assets, systems, computing devices, services, and operating personnel.
Related Information
101 Information Security Status Monitoring, Reporting, and Review
This policy communicates logging requirements for academic, clinical, administrative, research, and technical information security activities at WashU.
104 Information Security Vulnerability Management
This policy communicates the core principles and objectives for information security vulnerability management, including planning, detection, mitigation, and patching.
109 Information Security Incident Reporting, Response, and Recovery
This policy communicates a planned and systematic approach to incident handling from reporting to recovery and analysis.
110 Information Technology Change Control and Management
This policy outlines processes for maintaining the security and integrity of information assets throughout their lifecycles.
200 Information Security Classification, Labeling, and Handling
This standard defines classification categories and control zones for data, information, and systems at Washington University in St. Louis (WashU).
202 Information Security Identity, Authentication, and Access Control
Review and revision of this standard is in progress. Please contact infosec@wustl.edu