Policy 112 Information Security Acceptable Use

Note: Policy 112: Information Security Acceptable Use replaced the Computer Use Policy on November 8, 2024.

Purpose

This policy and associated guidance provide direction for acceptable use of computers and related systems, networks, electronic messaging services, and information at WashU. 

Applicability and Audience

This policy applies to systems connected to any WashU network, including all information resources that are owned, leased, vended, contracted, or operated by the university. This includes hardware, software, systems, and data. 

This policy applies to all members of the WashU Community, including faculty, staff, students, and any agent of the university with access to WashU information and networks for contracted services. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.  

Information Security Roles and Responsibilities (100.01)

Policy

112.00 Introduction

Policy 112: Information Security Acceptable Use provides direction to the WashU Community to protect the Confidentiality, Integrity, and Availability (CIA) of WashU information resources (i.e., hardware, software, systems, networks, and data). These resources are shared and made available to further the university mission

The WashU Community will abide by applicable regulations, university policies, and federal, state, and city laws when using these resources. Departments and schools may implement additional, but not less stringent, acceptable use guidelines and procedures, as necessary. Copies of such guidelines and procedures must be provided to the Office of Information Security (OIS). 

112.01 Relationship to WashU Policies

The WashU policies below apply to information technology and other matters, such as communication and conduct. Policy 112: Information Security Acceptable Use complements and reinforces these policies. All users are personally responsible for maintaining their own awareness and compliance with OIS policies and other applicable university policies, laws, and regulations.  

Misuse of WashU information resources in violation of any of this or any other university policy will be investigated. Sanctions, up to and including employee termination or student expulsion, may be applied.   For additional information regarding policies and sanctions, please review the following: 

112.02 Access to WashU Information Resources

Unauthorized access to WashU information resources may significantly impact education, research, patient care, and other university activities. Some resources are only available with WUSTL Key login, and according to roles and responsibilities. Refer to Policy 102: Information Security Authentication, Authorization and Audit and Standard 202: Information Security Identity, Authentication, and Access Control for additional information.  

112.03 Personal Use

To avoid potential security and privacy risks, WashU Community members are strongly encouraged to use WashU accounts for WashU matters. Departments, schools, and units may require the use of WashU accounts for WashU matters.   

WashU Community members are strongly discouraged from using WashU accounts (e.g., e-mail) for personal matters (e.g., healthcare and banking) or storing personal files on WashU systems. Community members who choose to store personal files on WashU systems are responsible for managing and securing those files. WashU is not responsible for backing up or protecting personal files and is not liable for any harm that may occur to personal information stored on university systems.  

Use of WashU resources for personal, commercial or political gain is unacceptable. Refer to the WashU Code of Conduct, WashU HR Policies, and the Employee Handbook for additional information about personal use of WashU electronic resources.  

Departments, schools, and units may have additional policies that impact the personal use of university IT resources. Community members are responsible for familiarizing themselves with those policies.  

112.04 Use of Personal Devices

WashU Community members who choose to use a personal device (including mobile phones) for university activities must adhere to Policy 103: Information Security Device Management and all other applicable OIS policies and standards.  

Personal device users are responsible for ensuring that all devices that access university networks, services, systems, and data have basic security features enabled. Refer to Standard 203: Information Security Universal Device Management for additional details.  

112.05 Use of Artificial Intelligence (AI)

WashU Community members will use AI in accordance with all applicable laws, regulations, and university policies. Data, information, and systems used with AI must conform to the requirements of Policy 100 (see section 100.04 Data, Information, and System Classification), Standard 200: Information Security Classification, Labeling, and Handling, and Policy 105: Information Security Risk Management.  

Refer to WashU IT guidance on Generative Artificial Intelligence (AI) and the WashU Compliance Office page for additional applicable university policies. 

112.06 Misuse of Resources

WashU Community members are granted privileges to use their WashU accounts and are responsible for all activities involving their accounts. Account privileges may not be used to violate any university policy, or city, state, or federal laws or regulations. Access may be revoked in cases of misuse or threat to WashU systems and networks.  

WashU Community members will not use the WashU systems or networks to cause harm or perform illegal activities including, but not limited to the following:  

  • Cause harm to individuals, university data, university networks 
  • Disable systems, programs, or software  
  • Exfiltrate university data of any kind for personal gain 
  • Email spam or harassment  
  • Write or spread malware  
  • Download illegal materials  
  • Compromise data integrity 
  • Copyright infringement  
  • Engage in malicious computer activity  
  • Cryptomining 

Circumventing WashU policies to compromise the security of an account, system, devices, network, or those of a WashU partner will not be tolerated.  

112.07 Monitoring and Enforcement

WashU may implement technical and administrative controls to enforce this policy.  

WashU may log, review, retain, prohibit, or utilize any data or information stored or transmitted via WashU information resources for any legitimate organizational purpose, including without limitation, achieving regulatory compliance, managing WashU systems and networks, and enforcing university policies. WashU protects the privacy of information gathered while monitoring individual system and network usage. Policy 115: Notice of Monitoring and Information Security Investigative Practices for additional details. 

Reporting

WashU Community members are responsible for reporting concerns or possible violations of this policy. Email infosec@wustl.edu to report concerns or possible violations. Concerns or violations can also be reported anonymously on the university’s hotline at (844) 484-5957 or by visiting the WashU Reporting Options page.  

Investigation

Violations of this policy may lead to an investigation involving, but not limited to, designated representatives of the WashU Community, Human Resources, General Counsel, OIS, Internal Audit, the HIPAA Privacy Office, or other Area Specific Compliance Offices (ASCOs).  

Sanctions

Violations of this policy may lead to disciplinary action, including loss of access to systems and accounts or possible termination, including, for example, under the Human Resources corrective action processes, Sanctions for Non-Compliance with HIPAA Policies, or the University Student Code of Conduct.  

For questions about this policy, contact your department, school, or unit system manager, or email the Chief Information Security Officer.  

Policy Compliance

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct. 

Internal Audit will independently review logical and physical controls, reporting findings and recommendations to senior management and the Board of Trustees. 

University Policies

OIS Policies and Standards

References

Policy Review

This policy will be reviewed by the OIS at a minimum of every three years.   

Policy Number and Title: 112 Information Security Acceptable Use 

Owner: Office of Information Security  

Approved By: Cyber Security Executive Advisory Committee

Original Approval Date: 10/8/2024

Current Version Publication Date: 11/8/2024