Policy 108 Information Security Requests for Access to WashU User Content

Purpose

This policy describes how the Office of Information Security (OIS) handles requests for access to content created by active or former WashU Community members. 

User content includes, but is not limited to: 

  1. Messages (e.g., email, chat, and data/file-sharing services, etc.)
  2. Files (e.g., Word, Excel, PowerPoint, etc.) 
  3. Browser bookmarks

In addition, this policy outlines the actions IT staff must take prior to granting access to any individual’s electronic activity. 

If a legal or regulatory incident involves an active or former WashU community member, management will contact the Office of General Counsel (OGC) and/or Human Resources Employee Relations (HR) for guidance prior to requesting access to user content.

Applicability and Audience

This policy applies to all WashU accounts, electronic messages and messaging services, and systems. This includes resources that are owned, leased, vended, contracted, or operated by the university, including hardware, software, systems, and data. 

All members of the WashU Community should be aware of this policy, including faculty, staff, and students, and any agent engaged for contracted services to the university with access to WashU information, systems, and networks. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.  

This policy affects WashU IT users with access and visibility into user activity and user-created content. 

Please refer to the University Student Conduct Code for specific information about expectations for WashU students.

Information Security Roles and Responsibilities (100.01) 

Policy

108.00 Introduction

The Office of Information Security (OIS) is committed to respecting user privacy to the extent possible while also protecting the Confidentiality, Integrity, and Availability (CIA) of WashU information resources and otherwise meeting university needs and obligations. This policy outlines how the OIS achieves these objectives when processing requests for access to user content.

108.01 Requests for Access to Faculty and Staff User Content

Requests for access to faculty and staff user content should only be initiated by their management for the continuation of university, school or department needs (e.g., ongoing projects, contacts, schedules, recruitment, contracts, grants, research) or during an internal investigation.  

All requests to use elevated permissions to access user content for purposes of an internal investigation, litigation or other legal or compliance purpose must be approved by the Office of General Counsel (OGC).  Requests to use elevated permissions to access user content for management continuity must be approved by a Dean, Vice Chancellor, or higher-level executive. If the request arises from the investigation of an information security event or incident, refer to the Incident Response Plan and associated guidance.  

To reduce the risk of inadvertent access, only System Custodians/System Administrators designated by their IT leadership may provide access to information as specifically instructed by OGC or HR.  

Refer to the following policies and standards for additional information:  

The OIS works with the Office of the Vice Chancellor and OGC to identify, collect, and preserve electronic information related to litigation. In such cases, OGC will notify the Chief Information Security Officer (CISO) and designees of the request to retain electronic information for a pending legal action. This notification will identify the relevant individuals and the nature and scope of information sought. The Department IT Director and CISO will be copied to assist in the process.  

Pursuant to the instructions in the legal hold notification from OGC, WashU department or school staff designated to assist the Office of Information Security (OIS) and OGC will identify information that falls within the scope of potentially relevant information defined in the notification. 

The information will be retained until OGC approves the release of the information. Tapes or files that contain information collected will not be recycled or deleted until OGC approves deletion. Reminders may be sent annually to determine the status of the collected information. 

Please see Standard 208: Information Security Handling of Requests for Access to WashU User Content for additional information.

Policy Compliance

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical, users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, the appropriate Area Specific Compliance Offices, Human Resources, or the Office of Student Conduct. 

Internal Audit will independently review and assess compliance with this policy, reporting findings and recommendations to senior management and the Board of Trustees.

Policy 112: Information Security Acceptable Use 

Policy 115: Notice of Monitoring and Information Security Investigative Practices  

Standard 208: Information Security Handling of Requests for Access to WashU User Content  

Information Security Incident Management Process

Financial Services Records Management Policy 

University Student Code of Conduct  

References

Policy Review

This policy will be reviewed by the OIS at a minimum of every three years.   

Policy Number and Title: 108 Information Security Requests for Access to WashU User Content 

Owner: Office of Information Security 

Approved By: Cyber Security Executive Advisory Committee

Original Approval Date: October 8, 2024 

Current Version Publication Date: December 6, 2024