This page is under construction. In the meantime, please contact firstname.lastname@example.org with questions about remote computing with protected and confidential data.
Protected and confidential data require additional security measures to ensure they are not
displaced, altered, or destroyed without authorization.
WashU community members handling protected or confidential data while working remotely must adhere to the policies,standards, and guidelines below.
Media containing protected and confidential data must be secured according to the Classification Standard (see section 200.06 Media).
Standard 200: Classification
Standard 200: Classification describes security expectations for controlled unclassified information (CUI), and protected, confidential, and public information at WashU.
Virtual Private Network (VPN)
Use the WashU VPN when connecting to the WashU network from an off-campus location. Refer to Standard 202.1 VPN for additional details.
Copying, Downloading, and Storing Protected Data
Copying, downloading, or storing protected data on your device introduces avoidable risks, should the device is lost, stolen, or compromised. Avoid copying or downloading protected data to your device. Instead, use an OIS-approved Secure Storage and Communication Service.
If copying and storing protected data on your device is unavoidable, ensure the device complies with Policy 103: Device Management and Standard 203: Universal Endpoint Management.
Ensure protected data are secured in transit and at rest with encryption, following Policy 113: Encryption and Standard 213: Encryption.
The policy and associated guidance provide the practices WashU will utilize to protect the integrity and confidentiality of information stored, transmitted, transferred to portable media, and sent through messaging systems to entities external to the university.
This standard and associated guidance will provide the requirements to protecting the integrity and confidentiality of WashU information – at rest and in motion – stored, transmitted, transferred to portable media, and sent through messaging systems to entities outside of WashU.
Additional Requirements of Schools and Departments
Departments and schools that handle protected health information (PHI) must also adhere to
specific security requirements for remote work in addition to those stated above. Please find a
list of requirements for remote work involving PHI on the WashU Information Technology page, Policies and Requirements for Remote Work at Washington University School of Medicine.
Incident Reporting and Recovery
Users must notify the OIS of all security incidents. If your device or data are stolen,
compromised, corrupted, or destroyed, contact your IT Service Desk, the HIPAA Privacy Office,
and/or the OIS immediately. If the device is university-owned and managed, the OIS may be
able to able to help you find it. Refer to Policy 109: Information Security Incident Reporting,
Response, and Recovery for more information.
Incident Response Policy
The policy and associated guidance provide a well-defined and organized approach for handing any potential threat to computers and data.