115 Notice of Monitoring and Information Security Investigative Practices
The following table shows who is responsible for ensuring compliance with the policy requirements listed below.
| Requirement/Expectation | Authorized Personnel | OIS | Internal & External Legal Counsel | WashU | Vendor Partners |
|---|---|---|---|---|---|
| Uses security tools that generate Monitoring Data. | ✔ | ||||
| May monitor network traffic and examine computer files and systems. | ✔ | ✔ | |||
| May conduct security investigations involving personal devices used for university activity. | ✔ | ||||
| Has access to Monitoring Data according to the principle of least privilege. | ✔ | ✔ | |||
| Bears responsibility for securing and managing university information resources. | ✔ | ✔ | |||
| Grants access to/provides data after consulting with OGC, HR, or relevant Data Administrators. | ✔ | ||||
| May request and review electronic information related to university activities. | ✔ | ✔ | |||
| Review indications of compromise identified by automated processes. | ✔ | ✔ | ✔ | ||
| Escalate as necessary to the OIS for incident response and recovery. | ✔ | ✔ | ✔ | ✔ | |
| Uses manual and automated processes to review Monitoring Data in forensic investigations of cyber security incidents. | ✔ | ✔ | ✔ | ||
| Classifies and secures the data resulting from monitoring activity and investigations according to the content of the monitored activity. | ✔ | ✔ |
Summary of Policy
The Notice of Monitoring and Information Security Investigative Practices conveys the commitment of the OIS to the responsible collection, use, and safeguarding of personal information. This policy clearly communicates details about the following topics:
- The use of security tools to collect, correlate, process, and analyze specific types of data related to computer and network activities
- The legal basis for the collection of these data
- How these data are managed according to the principle of least privilege
- Handling requests for access to these for internal and external investigations
- The rights of individuals related to these data