100 Information Security Program
| Requirement | All Users | System Owners | System Custodians/ Administrators | Departments, Schools, Units |
|---|---|---|---|---|
| The OIS will manage, approve, or deny exception requests (p. 3). | ✔ | ✔ | ✔ | |
| Data and information will be classified appropriately (p. 3). | ✔ | ✔ | ✔ | ✔ |
| Systems will be classified according to criticality and constituent information (p. 5) | ✔ | ✔ | ||
| System-access permissions will be regularly monitored and documented (p. 5). | ✔ | ✔ | ||
| The implementation, status, and effectiveness of security controls will be continuously monitored and documented (p. 3). | ✔ | |||
| An ongoing inventory of information assets will be maintained (p. 3). | ✔ | |||
| Individuals with applicable information security roles must regularly monitor and document system-access permissions (p. 5). | ✔ | |||
| Basic information security training (p. 6). | ✔ | ✔ | ||
| Targeted and role-based training for regulatory requirements (p. 6). | ✔ | ✔ | ||
| A record of training is maintained (p. 7). | ✔ |
Summary of Policy
Roles and Responsibilities (100.01)
Descriptions of these roles and responsibilities may be found in the dedicated section in the full text of the policy.
Information Security Governance and Compliance (100.02)
Information security governance relates to who is authorized to make security decisions, the framework for creating accountability and oversight, and ensuring that our overarching security strategy aligns with our institutional mission while meeting regulatory requirements. The OIS determines a minimum set of requirements for the security of our information systems and the data that our organization stores, processes, and transmits.
Asset Inventory (100.03)
The OIS evaluates assets in terms of criticality to our organizational operations and assigns controls accordingly.
Data, Information, and System Classification (100.04)
Data and information created, stored, and transmitted by the WashU community are classified as 1) Public, 2) Confidential, 3) Protected, or 4) Controlled Unclassified Information (CUI). Refer to data classification for more information about the four categories.
When classifying a collection of information or data, the most restrictive classification of any of the individual data elements should be used.
Individuals with applicable information security roles must regularly monitor and document system-access permissions.
Information Security Controls Plan (100.05)
The OIS assigns security controls commensurate with risk and according to the classification of data, information, and systems.
Communications, Training, and Awareness (100.06)
In addition to internal communications, the OIS shares information with the wider information security community and external stakeholders to develop broader situational awareness of cybersecurity.
The OIS maintains a security awareness training program to facilitate compliance with policies, regulations, and the classification of information and its security.
The OIS develops training curricula in-house and through third-party services. A record of training completion is maintained in a centralized learning management system or in department/school files.
Awareness activities focus on applying security best practices and controls specified by NIST, ISO, The Center for Internet Security (CIS), and regulatory agencies.
Full Text of Policy
Policy 100 Information Security Program
The policy is the foundation of the policy library. It establishes the charge and mission of the Office of Information Security (OIS) to protect the Confidentiality, Integrity, and Availability (CIA) of information resources at Washington University in St. Louis (WashU).
Related Information
200 Information Security Classification, Labeling, and Handling
This standard defines classification categories and control zones for data, information, and systems at Washington University in St. Louis (WashU).