115 Notice of Monitoring and Information Security Investigative Practices
The following table shows who is responsible for ensuring compliance with the policy requirements listed below.
| Requirement/Expectation | Authorized Personnel | OIS | Internal & External Legal Counsel | WashU | Vendor Partners |
|---|---|---|---|---|---|
| Uses security tools that generate Monitoring Data. | ✔ | ||||
| May monitor network traffic and examine computer files and systems. | ✔ | ✔ | |||
| May conduct security investigations involving personal devices used for university activity. | ✔ | ||||
| Has access to Monitoring Data according to the principle of least privilege. | ✔ | ✔ | |||
| Bears responsibility for securing and managing university information resources. | ✔ | ✔ | |||
| Grants access to/provides data after consulting with OGC, HR, or relevant Data Administrators. | ✔ | ||||
| May request and review electronic information related to university activities. | ✔ | ✔ | |||
| Review indications of compromise identified by automated processes. | ✔ | ✔ | ✔ | ||
| Escalate as necessary to the OIS for incident response and recovery. | ✔ | ✔ | ✔ | ✔ | |
| Uses manual and automated processes to review Monitoring Data in forensic investigations of cyber security incidents. | ✔ | ✔ | ✔ | ||
| Classifies and secures the data resulting from monitoring activity and investigations according to the content of the monitored activity. | ✔ | ✔ |
Summary of Policy
The Notice of Monitoring and Information Security Investigative Practices conveys the commitment of the OIS to the responsible collection, use, and safeguarding of personal information. This policy clearly communicates details about the following topics:
- The use of security tools to collect, correlate, process, and analyze specific types of data related to computer and network activities
- The legal basis for the collection of these data
- How these data are managed according to the principle of least privilege
- Handling requests for access to these for internal and external investigations
- The rights of individuals related to these data
Full Text of Policy
Related Information
101 Information Security Status Monitoring, Reporting, and Review
This policy communicates logging requirements for academic, clinical, administrative, research, and technical information security activities at WashU.
200 Information Security Classification, Labeling, and Handling
This standard defines classification categories and control zones for data, information, and systems at Washington University in St. Louis (WashU).
202 Information Security Identity, Authentication, and Access Control
DRAFT This standard establishes requirements for verifying user identities and authenticating user requests for access to systems and services at Washington University in St. Louis (WashU). This standard also communicates expectations that system managers and administrators must follow to control access to WashU information resources.
204 Information Security Vulnerability Management
DRAFT This standard establishes a structured approach to identifying, assessing, prioritizing, and mitigating vulnerabilities within the IT infrastructure at Washington University in St. Louis (WashU).