Policy 106 Information Security Infrastructure Risk Management

Purpose
Applicability and Audience
Information Security Roles and Responsibilities (100.01)
Policy
Policy Compliance
Related Policies, Standards, and Guidelines
References
Policy Review

Purpose

The purpose of the Information Security Infrastructure Risk Management Policy is to create a safe computing environment by providing guidance and directives to the computing community at Washington University in St. Louis (WashU) to ensure the ongoing Confidentiality, Integrity, and Availability (CIA) of our information resources. The scope of this policy encompasses all network assets, systems, computing devices, services, and operating personnel. This includes network infrastructure, components, network management and service systems, and all WashU faculty, staff, and students.

Applicability and Audience

This policy applies to all information resources that are owned, leased, vended, contracted, or operated by the university, including hardware, software, systems, and data.

This policy affects WashU Community members with administrator or elevated permissions for applications, systems, and/or infrastructure.

All members of the WashU Community should be aware of this policy, including faculty, staff, students, and any agent engaged for contracted services to the university with access to WashU information, systems, and networks. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.

Information Security Roles and Responsibilities (100.01)

Policy

106.00 Introduction

The WashU infrastructure—the “behind the scenes” (i.e., not user endpoints such as laptops, desktops, smartphones, and tablets) hardware, software, and network components comprising the WashU operating environment—is designed to ensure the ongoing CIA of information resources by preventing unauthorized access, modification or disclosure, and denial of service. Components and systems comprising the WashU infrastructure must be secured.

The controls implemented to protect the WashU infrastructure will be commensurate with risk, based on system classification, and adapted from appropriate Special Publications of the National Institute of Standards and Technology (NIST) SP-800 series and other applicable industry standards. Refer to Standard 200: Information Security Classification, Labeling, and Handling for additional details about system classification.

The WashU infrastructure will follow WashU IT and Information Security policies, standards, and guidelines as described at informationsecurity.wustl.edu. Information technology staff, directors, or department heads are responsible for the design, implementation, and maintenance of security protections and ongoing compliance with this policy. Administrators of co-managed systems must confer with the OIS to ensure controls are in place and commensurate with the criticality of the system and data.

All exceptions must be approved by the Office of Information Security (OIS) and IT leadership.

106.01 Network and Systems Protection

The OIS will develop and document a formalized process for protecting system, communication, and control networks.

The OIS, WashU IT, and IT@WashU will perform the following functions:

Establish a baseline of network operations and expected data flows
Map organizational and communication data flows
Monitor, control, and protect WashU communications containing Confidential and Protected Data and Information at external boundaries and key internal boundaries
Establish an effective physical and logical network security perimeter
Define guidelines for monitoring, controlling, and protecting communication at the perimeter and within the WashU environment
Employ architectural design, engineering principles, and software that promotes ongoing CIA of WashU information systems
Catalog internal and external information systems following the Asset Management Program methodology
Implement mechanisms to achieve resilience requirements in normal and adverse situations (e.g., failsafe, load balancing, and hot swap), commensurate with business needs
Work with unit managers, System Owners, and/or System Custodians/System Administrators to assess the environment, determining methods and safeguards to limit the effects of malicious attacks (e.g., software updates, isolation, boundary protection, and secure transmission)

The OIS will regularly assess the implementation and efficacy of security controls. The results of these assessments will be provided to management. Weaknesses and deficiencies identified during the assessment process will form the basis of corrective action plans to reduce or eliminate the risk or vulnerability. Action-plan milestones will be documented.

System Owners will ensure that:

The confidentiality and integrity of information systems and transmitted information are protected in systems for which the System Owner is responsible
High-risk information systems use encryption to prevent unauthorized disclosure of information at rest and during transmission
Activity logs are systematically collected, maintained, and supplied to the OIS. Refer to Policy 101: Information Security Status Monitoring, Reporting, and Review for additional information.

106.02 Network Segregation and Segmentation

WashU will use network segregation to separate critical networks from the internet and other internal networks and will use network segmentation to divide computer networks into smaller parts (subnets), allowing network administrators to more precisely control how traffic moves across parts of the network. Network segregation and segmentation will be based on system and data classification.

106.03 Infrastructure Physical Security

Logical and physical control will be applied to infrastructure to protect the CIA of WashU information resources. Data and system classification will aid in the determination of appropriate controls.

This infrastructure includes but is not limited to:

Physical areas with servers
Storage Area Network (SAN)
Core networking and communication equipment
Core support equipment

The OIS and Internal Audit will periodically review infrastructure access and activity logs to verify that appropriate controls are in place.

Access Control and Monitoring

Access to equipment storage areas, secure areas, and delivery and loading areas will be restricted to authorized personnel, logged, and monitored based on classification of affected systems and data.

Refer to Standard 206: Server Security for additional details.

Environmental Controls

Managers of data centers housing mission-critical services and data storage will ensure that appropriate cooling, fire suppression, and redundant power services are in place to maintain the environment in the case of outages.

Power and telecommunications cabling carrying data or supportive information services must be protected from interception and damage.

To protect equipment from power failures and other electrical anomalies, IT will provide a suitable electrical supply that conforms to the equipment manufacturer’s specifications.

106.04 Events and Incidents Affecting Infrastructure

Security events and incidents affecting WashU infrastructure must be reported to the OIS. Such incidents include unauthorized access and use, lost and stolen devices, intentional damage to infrastructure, etc. Refer to Policy 109: Information Security Incident Reporting, Response, and Recovery for additional information.

106.05 System Maintenance and Repair

Regular maintenance (e.g., patches and updates) and repair of WashU infrastructural assets minimizes costly disruptions to university day-to-day operations. WashU System Owners will develop, document, and implement maintenance processes for information systems throughout the lifecycle. Integrity checking mechanisms will be used to verify hardware integrity. Security controls based on system and data classifications will be identified, documented, and implemented as appropriate to the criticality of the system. System updates to mitigate system and unauthorized access and application vulnerabilities are particularly important. All maintenance will be approved, logged, and performed in both routine and emergent situations.

Maintenance involving configuration changes must also conform to the requirements of Policy 110: Information Technology Change Control and Management.

Refer to Policy 104: Information Security Vulnerability Management for more information about system updates to mitigate vulnerabilities.

Policy Compliance

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical, users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, the appropriate Area Specific Compliance Offices, Human Resources, or the Office of Student Conduct.

Internal Audit will independently review and assess compliance with this policy, reporting findings and recommendations to senior management and the Board of Trustees.

Policy 101: Information Security Status Monitoring, Reporting, and Review

Policy 104: Information Security Vulnerability Management

Policy 109: Information Security Incident Reporting, Response, and Recovery

Policy 110: Information Security Change Control and Management

Standard 200: Information Security Classification, Labeling, and Handling

Standard 202: Information Security Identity, Authentication, and Access Control