Policy 115 Notice of Monitoring and Information Security Investigative Practices  

Purpose

This Notice of Monitoring and Information Security Investigative Practices informs the Washington University in St. Louis (WashU) Community of the following: 

  1. The automatic generation and collection of data during routine information security operations 
  2. The examination of targeted data during incident investigation 
  3. Office of Information Security (OIS) practices for protecting the privacy and confidentiality of these data 

Applicability and Audience

This policy applies to all information resources that are owned, leased, vended, contracted, or operated by the university. This includes hardware, software, systems, and data. 

This policy affects WashU Community members with elevated permissions for accessing information security logs or other user-created content.  

All members of the WashU Community should be aware of this policy, including faculty, staff, students, alumni, and any agent engaged for contracted services to the university with access to WashU information, systems, and networks. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.  

Roles and Responsibilities (100.01)

Policy

115.00 Introduction

The Office of Information Security (OIS) supports the mission of WashU by ensuring the ongoing Confidentiality, Integrity, and Availability (CIA) of WashU information resources. This involves using security tools that generate Monitoring Data, including logs of activities on endpoints, networks, accounts, and applications.  These data include user, application, and security information (e.g., usernames and IP addresses).  

The university reserves the right to monitor network traffic and examine computer files and systems. In justified and reasonable circumstances, this includes information security investigations involving personal devices used for university activities.  

The OIS seeks to balance the use of Monitoring Data to protect the university with respect for the personal privacy of our users. Responsible stewardship is mandated by laws, regulations, contracts, and university policies, and it is foundational to information security governance at WashU. 

115.01 Data Collected

The OIS uses security tools to automate the collection, correlation, processing, and analysis of a wide range of computer and network activities. Specifically, these tools record: 

  1. Domain Name Service (DNS) lookups 
  2. Connections through firewalls, including connections between the Internet and the university, and connections within the university network 
  3. Traffic on the university network 
  4. WUSTL Key and other authentications 
  5. Access sessions (logins) to systems and information on the university network and in the cloud
  6. The header information from email messages that are sent and received by WashU email services 
  7. Processes on servers and endpoint computers (screened for malware and indications of compromise such as malicious-use patterns) 
  8. Software versions and the presence of vulnerable applications and services 

Policy 101: Information Security Status Monitoring, Reporting and Review includes additional information about security monitoring and logging at WashU.  

Standard 204: Information Security Vulnerability Management contains information about how scans are conducted to detect vulnerabilities that could impact WashU information resources, and how those vulnerabilities are addressed.  

115.02 Access to Data

Access to Monitoring Data is strictly managed according to the principle of least privilege, such that only authorized personnel have access on a “need-to-know” basis. Authorized personnel include select WashU IT staff members or third parties (e.g., vendors) that are responsible for securing or managing university information resources.  

Access to Monitoring Data may occasionally be requested in internal investigations, legal proceedings, and life-safety emergencies. In such situations, the OIS will not grant access to or provide data without first consulting with the Office of General Counsel, Human Resources, or the relevant Data Administrator. 

Electronic information related to university activities (e.g., student and employee records), created, stored, or transmitted on any device may be subpoenaed and reviewed by internal or external legal counsel. In investigations related to clinical care, the use of Monitoring Data will follow Faculty Practice Plan guidance.  

115.03 Use of Data

Automated processes continually review Monitoring Data to identify potential malicious activity and threats to the university. Vendor partners review the indications of compromise identified by these automated processes, escalating as necessary to the OIS for incident response and recovery. Data are also reviewed in forensic investigations of cyber security incidents using both automated and manual processes. 

The university records Monitoring Data for the following purposes:  

  1. Processing necessary to ensure the protection of sensitive and personal data. For example, the OIS logs and monitors the activities of users within Workday and related systems to protect payroll and benefits data. Activities in Salesforce, Canvas, Epic, and other applications are similarly logged. 
  2. Processing necessary to protect the university from cyber security threats. For example, the OIS examines logs to protect the university from harm caused by malicious actors infiltrating university systems, and from the potentially harmful activities (accidental or intentional) of WashU Community members.   

The university has the right and may examine data stored, transmitted, or accessed on any WashU computing resource, but access to the data is limited to authorized personnel for legitimate university purposes.  

115.04 Data Classification

The results of monitoring activity and investigations are classified at the same level as the content of the monitored activity (i.e., as Confidential or Protected), and must be secured following the requirements specified in Standard 200: Information Security Classification, Labeling, and Handling and Standard 202: Information Security Identity, Authentication, and Access Control

115.05 Individual Data Subject Rights

The university collects data about individuals based on legal obligations, and to protect legitimate university interests. Except as permitted by applicable laws and regulations, users do not have the right to opt out of the associated data collection, nor to request copies of, access to, or deletion of any information collected by security tools.  

Policy Compliance

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct. 

Internal Audit will independently review logical and physical controls, reporting findings and recommendations to senior management and the Board of Trustees. 

Policy 101: Information Security Status Monitoring, Reporting, and Review 

Standard 200: Information Security Classification, Labeling, and Handling 

Standard 202: Information Security Identity, Authentication, and Access Control  

Standard 204: Information Security Vulnerability Management

Policy Review

This policy will be reviewed by the OIS at a minimum of every three years.   

Policy Number and Title: 115 Notice of Monitoring and Information Security Investigative Practices 

Owner: Office of Information Security 

Approved By: Cyber Security Executive Advisory Committee

Original Approval Date:  10/8/2024

Current Version Publication Date: 11/8/2024