Policy 100 Information Security Program
- Purpose
- Applicability and Audience
- Policy
- 100.00 Introduction
- 100.01 Information Security Roles and Responsibilities
- 100.02 Information Security Governance and Compliance
- 100.03 Asset Inventory
- 100.04 Data, Information, and System Classification
- 100.05 Information Security Controls Plan
- 100.06 Communications, Training, and Awareness
- 100.07 Summary of Additional OIS Policies
- Policy Compliance
- Related Policies, Standards, and Guidelines
- References
- Policy Review
Purpose
The Office of Information Security (OIS) and Information Security Program support the mission of Washington University in St. Louis (WashU) by protecting the Confidentiality, Integrity, and Availability (CIA) of data and information resources. The Information Security Program policy outlines the charge and mission of our office and describes the core activities of the Information Security Program. These activities include the following:
- Defining roles and responsibilities to coordinate activity and clarify actions necessary to disseminate security policy and associated guidance
- Creating a system of classification for institutional data and systems, assessing the risks associated with them, and allowing for the application of security controls commensurate with those risks
- Providing resources and guidance to help System Owners and administrators ensure the CIA of WashU information systems
- Establishing and maintaining an accurate inventory of information assets, including hardware, software, and data
- Establishing a lifecycle-development process that incorporates documented policies, standards, and guidance, as well as risk and vulnerability assessments
- Developing and documenting standard security controls
- Encouraging a community of informed and empowered users through information security communications, training, and awareness activities
Applicability and Audience
This policy applies to all information resources that are owned, leased, vended, contracted, or operated by the university. This includes hardware, software, systems, and data.
All members of the WashU Community should be aware of this policy, including faculty, staff, students, and any agent engaged for contracted services to the university with access to WashU information, systems, and networks. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.
Policy
100.00 Introduction
Information security is a multidimensional challenge and a shared responsibility. The OIS relies on the cooperation of all members of the WashU community, including executive leadership, individual faculty, staff, students, and third-party partners to ensure the ongoing CIA of our information resources.
WashU is both a producer and consumer of information and information services. Our Information Security Program accounts for the risks we face as producers and consumers, anticipating the impact of security incidents for the WashU community and those who rely on us, and preparing to weather incidents that might affect our third-party partners.
This policy outlines the central components of our program.
100.01 Information Security Roles and Responsibilities
The OIS strives to clearly define and communicate security roles and responsibilities for the WashU community.
Everyone in the WashU community occupies the role of Data User. A Data User is responsible for the following:
- Acts always in a manner that does not endanger the security, Confidentiality, Integrity, and Availability (CIA) of the information and resources to which they have access.
- Helps to identify areas and report to OIS where risk management practices should be adopted.
- Takes all practical steps to minimize the university’s exposure to contractual and regulatory liability.
In addition to the role of Data User, some members of the community may fulfill additional roles and responsibilities, as specified below.
- Receives an annual update on risk and the state of IT.
- Consults with Executive Leadership to understand university IT mission and risks; provides guidance to bring IT mission and risks into alignment.
- Approves capital expenditures for Office of Information Security
- Serves as a communication path to Deans and senior faculty.
- Aligns information security policy and posture to the university’s mission and risk appetite.
- Sponsors the OIS to ensure that university activities, processes, and projects follow the information security risk management process.
- Coordinates with the CISO to ensure IT puts into practice the information security framework.
- Communicates information security risks to Executive Leadership
- Reports information security risks annually to university leadership and gains approval to bring risks to acceptable levels.
- Coordinates the development and maintenance of information security policies and standards.
- Works with the OIS to establish an information security framework and awareness program.
- Serves as a liaison to the Board of Directors, Internal Audit, Office of General Counsel, and law enforcement.
- Implements enterprise-wide program to ensure the protection of personal information entrusted to the university.
- Provides advice and training on privacy standards and best practices, new technologies, and compliance with state, federal, and international privacy regulations.
- Provides oversight and direction for privacy across the university.
- Communicates privacy risks to executive leadership.
- Oversees information privacy assessments, analysis, mitigation, and remediation.
- Conducts risk assessments, documents identified threats, and maintains a risk register.
- Assists WashU departments and schools in assessing their data for classification as defined in policy section 100.04 Data, Information, and System Classification
- Advises departments and schools in the assignment of controls according to information classification.
- Develops policy, standards, processes, and solutions to mitigate identified risks to an acceptable level.
- Assists the CISO in developing the Information Security framework.
- Works with IT, faculty, and staff to embed the framework into operations.
- Monitors infrastructure and data repositories for malicious activity.
- Works with the incident manager to detect and investigate security incidents.
- Establishes the vulnerability management program.
- Provides the WashU community with information security consulting services.
- Under the direction of the OIS, manages and coordinates incident response, communication, and notification.
- Serves as a lead in the investigation of security incidents.
- Coordinates and maintains incident documentation and documentation-retention activities.
- Provides organizational framework to effectively manage university data.
- Assists WashU departments and schools in assessing their data for classification as defined in policy section 100.04 Data, Information, and System Classification
- Develops policy, standards, processes, and solutions to mitigate identified risks and effectively manage data.
- Provides guidance, support & training for implementing Data Governance program initiatives.
- Defines, measures, and monitors data quality to ensure accuracy and maturity.
- Identifies, escalates, and assists to resolve data governance-related challenges.
- Works across WashU to embed data governance into operations.
- Serves as a point of technical contact for university information security committees.
- Acts as a representative for their organizational area(s) in matters related to information security.
- Communicates with and educates workforce members in IT regarding the Confidentiality, Integrity, and Availability (CIA) of institutional information, information systems, and relevant university information security policies, standards, and guidelines for the organizational area(s) for which they are responsible.
- Facilitates access to information systems upon request of the data custodians, system owners, and managers; obtains proper approvals and determines appropriate access needs for staff.
- Facilitates resolution of information security and privacy issues for their organizational area(s)
- Serves as focal point and coordinator during a security incident.
- Acts as the department or school’s central contact regarding information security.
- Attends and participates in periodic privacy meetings, seminars, and retreats.
- Disseminates new information, policies, and procedures to the appropriate school or departmental heads, division leaders, staff, business manager, etc.
- Works with IT Liaisons to manage and track a detailed inventory of the department’s Protected Information.
- Provides input and feedback to the OIS regarding policy making, procedures, exceptions, and other department or school issues pertaining to information security.
- Manages the implementation of compliance rules and safeguards according to policy and procedure.
- Coordinates information security training efforts within the department or school
- Serves as focal point and coordinator during a security incident.
- Provides oversight and direction for privacy within the healthcare environment to include incident investigations and the determination of notification requirements involving Protected Health Information (PHI)
- Works closely with senior administrators and compliance staff to enforce Health Insurance Portability and Accountability Act (HIPAA) privacy program policies within the School of Medicine
- Provides oversight and direction for compliance within the student records systems and user community to include incident investigations and the determination of notification requirements involving Protected student data.
- Works closely with academic administrators, IT, OGC and data governance partners to publicize and enforce FERPA (Family Educational Rights and Privacy Act) requirements and University policies.
- Responsible for their specific privacy compliance areas
- Works with the OIS to ensure information security requirements are met.
- Conducts sample audits to ensure compliance with information security policies and risk mitigation efforts.
- Interfaces with external auditors to provide an independent audit of IT infrastructure and practices.
- Departments, schools, and units that own, manage, and administer data related to the university mission accept oversight responsibility for those data.
- Authorizes and defines policies, standards, and guidelines regarding business definitions of information, access, and usage.
- Appoints a data steward for their subject area, which may be a third party.
- May be responsible for the context, content, and rules of use for institutional data; this responsibility is typically delegated to the data steward.
- Implements and enforces university policies, standards, and guidelines for institutional information within their designated data sets.
- Facilitates enactment of data management policies and standards in their specific data domain to protect security and privacy.
- Maintains accurate data definitions and data quality in their data domain.
- Assists to ensure access to data is authorized and controlled.
- Enforces technical processes and controls to safeguard data and sustain data integrity.
- Works with the System Custodian to ensure that information classified as Confidential, Protected, or CUI adheres to required university information security controls.
- The data steward may be a third party.
- Manages the Confidentiality, Integrity, and Availability (CIA) of the information systems for which they are responsible; this includes managing access and implementing other processes or controls according to university information security and policy.
- Advises Executive Leadership in the financial resources needed to develop and implement information systems and controls, including those specifically required by grants or contracts.
- Maintains critical information system documentation.
- Ensures and applies security controls per policies and standards.
- Formally appoints and delegates responsibilities to system custodians, who may be third parties.
- Makes and is accountable for operational decisions regarding the use and management of an information system.
- Implements controls as delegated by System Owners and Data Stewards
- System Custodian/System Administrator may be the same as System Owner
- A privileged user is authorized and trusted to perform security-relevant functions that ordinary users are not authorized to perform.
- May perform a variety of duties, including administrating systems, networks, and accounts.
- Manages changes that may affect network and computing systems, accounts, files, data, and processes.
- Must understand which of the above roles applies to them/their organization, and all associated responsibilities.
- Assesses and documents the application of controls to protect the Confidentiality, Integrity, and Availability (CIA) of WashU information systems and data.
- Maintains an up-to-date inventory of assets that access WashU information systems and data.
- Protects WashU information systems and data from unauthorized access, use, modification, and destruction.
- Ensures WashU data is not accessible to other customers or non-WashU parties.
- Promptly notifies WashU of events that may compromise the CIA of WashU information resources.
- Protects WashU from unlawful activity.
- Cooperates with the OIS to respond to device thefts affecting Danforth faculty, staff, and students.
100.02 Information Security Governance and Compliance
Information Security Governance
Information security governance relates to who is authorized to make security decisions, the framework for creating accountability and oversight, and ensuring that our overarching security strategy aligns with our institutional mission while meeting regulatory requirements. In short, information security governance is about “doing the right thing” in securing our information resources. Doing the right thing entails meeting the following objectives:
- Aligning governance and risk management processes to address cybersecurity risks
- Adhering to regulatory requirements
- Overseeing security operations to protect institutional assets
- Guiding the information security conduct of the WashU community
- Managing, approving, or denying exception requests as appropriate to protect the shared security of our organization
- Protecting university interests by avoiding compromises to our information resources.
Standards and guidelines are developed and regularly updated by appropriate stakeholders to support policy directives. A link to supporting documentation is provided in the References section of each policy. The Policy and Standard Development Process document provides additional details.
Information Security Compliance
The OIS determines a minimum set of requirements for the security of our information systems and the data that our organization stores, processes, and transmits. Cooperating with departments, schools, units, and area-specific compliance officers (ASCOs), we continuously monitor and document the implementation, status, and effectiveness of security controls. This process ensures security functions such as patching, logging, log review, network scans, vulnerability scans, and penetration testing are performed as required. In short, our compliance efforts help our organization “do things right.” Additional details are available in Policy 101: Information Security Status Monitoring, Reporting, and Review.
100.03 Asset Inventory
To effectively implement necessary security controls, the asset management program, supported by departments, schools, and units will conduct an ongoing inventory of information assets throughout an asset’s lifecycle, including removal, transfer, and disposition. These assets include hardware, software, services, and data, including external information systems and assets provided by third parties.
The OIS evaluates assets in terms of criticality to our organizational operations and assigns controls accordingly. Section 100.04 of this policy includes more information about data, information, and system classification.
100.04 Data, Information, and System Classification
Data and Information Classification
Data and information created, stored, and transmitted by the WashU community are classified as 1) Public, 2) Confidential, 3) Protected, or 4) Controlled Unclassified Information (CUI). These classification categories are based on the possibility of adverse effects to the university and WashU community should the data be disclosed, altered, or destroyed without authorization. In some cases, data and information are protected by legislation or other regulations and require additional security controls.
The data and information classification process involves analysis of the potential for damage or distress should the information be shared without authorization. The OIS and the Office of Data Governance (ODG) work with those who have data and information security roles to classify data and information appropriately. WashU data and information classification categories are described below. Please visit the Data Classification page on the OIS website or the ODG website for additional information and resources.
1. Public Data and Information
Public Data and Information may be shared openly and do not have regulatory or industry requirements.
2. Confidential Data and Information
Confidential Data and Information are not freely available to create, store, or transmit but do not have any regulatory or contractual requirements. This includes data provided to WashU by external individuals or entities for use and storage by the university.
3. Protected Data and Information
Protected Data and Information, whether contractually regulated or identified by federal, state, local, and industry regulations, require additional security controls. The application of these controls is determined according to specific regulations. These regulations include, but are not limited to:
- Health Insurance Portability and Accountability (HIPAA) covering Protected Health Information (PHI)
- Federal Information Security Management Act (FISMA) when creating and storing information for federal agencies
- Payment Card Industry (PCI) Data Security Standards (DSS)
- Family Educational Rights and Privacy Act (FERPA)
- Higher Education Act (HEA)
- General Data Protection Regulation (GDPR) and similar U.S. and international laws protecting the privacy of personal information
- Gramm-Leach Bliley Act (GLBA)
- Chemical Facility Anti-Terrorism Standards (CFATs)
- FDA Part 11 pertaining to electronic signatures
- Nuclear Regulatory Commission (NRC)
- Fair and Accurate Credit Transactions Act
- Children’s Online Privacy Protection Rule
4. Controlled Unclassified Information (CUI)
CUI is defined and described in the Code of Federal Regulations (CFR). It refers to a variety of unclassified data types that federal agencies create or possess or that a non-federal entity (e.g., WashU) receives, possesses, or creates for or on behalf of the federal government. CUI is required by law, regulation, or government-wide policy to have safeguarding or dissemination controls. Specific information about working with CUI is available on the OIS’ Controlled Unclassified Information in Sponsored Research page.
Data Collections
A data collection is a grouping of similar or related data. When classifying a collection of information or data, the most restrictive classification of any of the individual data elements should be used.
System Classification
A system is a device that accesses or stores information. Systems require controls to protect the information they contain. Controls vary according to the criticality of the system and the nature of the information it stores and accesses. The OIS classifies systems to help administrators understand how a system will be used, the type of information stored and accessed by that system, and necessary controls for protecting the system and its constituent information. Details about how we classify systems are available in Standard 200: Information Security Classification, Labeling, and Handling.
Individuals with applicable information security roles must regularly monitor and document system-access permissions. These permissions are granted according to the principles of least privilege and functionality, are revised as necessary to prevent privilege creep, and are granted such that they maintain separation of duties. Please refer to Policy 102: Information Security Authentication, Authorization, Audit and Standard 202: Information Security Access Control for additional details.
100.05 Information Security Controls Plan
To assure ongoing confidentiality, integrity, and availability of WashU systems and data, the OIS assigns security controls commensurate with risk and according to the classification of data, information, and systems. Control plans include policies regarding the physical operating environment, baseline configurations of systems that incorporate core security principles (e.g., least functionality), detection activities, and processes for managing exceptions. Controls are derived from applicable security frameworks developed by bodies such as the International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) Security Controls (SP800-53). Additional controls may be applied as appropriate according to WashU department and school needs.
100.06 Communications, Training, and Awareness
Communications
The security of our systems and information requires the cooperation of every member of the WashU community. The OIS promotes awareness and understanding of institutional policies and standards, common and emerging security threats, and best practices in information security using the following strategies:
- Developing the OIS website as a security resource for the WashU community
- Producing communications including articles, posts, newsletters, and digital signs to convey best practices, legal mandates, compliance efforts, and updates to policy
- Publishing special notices as necessary to address incidents, known threats, and strategies for reducing risk
In addition to internal communications, the OIS shares information with the wider information-security community and external stakeholders to develop broader situational awareness of cybersecurity.
When a major security incident affects the WashU community, the OIS:
- Works with internal and external parties to produce clear, accurate, and informative communications regarding the incident and recovery activities
- Coordinates with WashU Marketing & Communications, WashU Medicine Marketing & Communications, General Counsel, and other appropriate offices to manage public relations and repair the institution’s reputation after an incident
- Communicates incident recovery activities to the WashU community, external stakeholders, management, and executive leadership
Training
The OIS maintains a security awareness training program to facilitate compliance with policies, regulations, and the classification of information and its security.
The OIS provides classroom and web-based security training during orientations and as necessary. This training covers OIS Policies, requirements, and practices for protecting Confidentiality, Integrity, and Availability (CIA) of WashU information and resources. Training is updated to accommodate regulatory changes and changes to the WashU system and infrastructure and includes the following areas:
- Basic training provided to individuals prior to accessing any Protected Information
- Targeted training for users, departments, and schools that need to meet specific information protection and regulatory requirements
- Role-based training for those with access to Protected Information, those with security roles and responsibilities, and as required by regulation
- Regulatory-specific training pertaining to specific industry regulations such as PCI, FERPA, HIPAA, NRC, etc.
The OIS assists departments and schools to ensure university community members have appropriate security training in the following:
- Accessing, receiving, transmitting, or otherwise using Confidential or Protected Data
- Setting up, managing, maintaining systems and workstations that access, receive, transmit, or store Protected and Confidential Information
- Familiarizing the department and school with WashU security policies and policies of Area Specific Compliance Offices (ASCOs)
Training Development
The OIS develops training curricula in-house and through third-party services. This training consists of the following areas, among others:
- Information Security policies, standards, controls, and guidance
- Confidentiality, integrity, and availability of information
- Security practitioner responsibilities and practices for IT staff and system custodians
- Practical information security safeguards for faculty, staff, and students
- User response to suspected security incidents
- Common security threats and vulnerabilities
- Information security best practices
- Secure use of WashU networks and information systems
- Legal and department/school requirements
Training Process and Documentation
A record of training completion is maintained in a centralized learning management system or in department/school files.
Awareness
OIS engages the WashU community to foster a security-aware culture in the following ways:
- The OIS website, an informational resource for the WashU community containing policy, guidance, how-to-information, and training
- Regular and timely communications, including articles, posts, newsletters, and digital images, covering changes in policy, compliance efforts, legal mandates, and best practices
- Special notices addressing incidents, known threats, and steps users can take to reduce their risk
- Digital signs targeting specific awareness efforts
These awareness activities focus on applying security best practices and controls specified by NIST, ISO, The Center for Internet Security (CIS), and regulatory agencies.
100.07 Summary of Additional OIS Policies
101 Information Security Status Monitoring, Reporting, and Review
The Information Security Status Monitoring, Reporting, and Review Policy outlines the flow of communication between the OIS, schools, departments, and units. Cooperation, regular communication, documentation, and reporting about asset management, anomalous activity, and the application of security controls are essential to maintaining WashU infrastructure, data, and systems.
102 Information Security Authentication, Authorization, and Audit
The Information Security Authentication, Authorization, and Audit policy outlines how information and system access are managed, controlled, and reviewed in accordance with regulatory requirements. It discusses identity authentication factors, account-holder responsibilities, privileged access management, and the principles of least privilege and functionality.
103 Information Security Device Management
The Universal Device Management Policy defines and explains how the OIS and WashU community members work together to manage the security of managed university devices, unmanaged university devices, mobile devices, and personal devices.
104 Information Security Vulnerability Management
The Information Security Vulnerability Management Policy describes the university’s approach to vulnerability management to reduce infrastructure risks and implement a patch management.
105 Information Security Risk Management
The Information Security Risk Management Policy provides guidance for identifying, managing, and responding to security risks that threaten WashU’s ability to carry out its institutional mission.
106 Information Security Infrastructure Risk Management
The Information Security Infrastructure Risk Management Policy provides the WashU community directives to ensure the CIA of information assets such as workstations, servers, and other infrastructural hardware.
107 Information Technology Business Continuity and Disaster Recovery Planning
The Information Technology Business Continuity and Disaster Recovery Planning Policy outlines security measures employed to protect electronic information systems, provides direction and support for developing risk-based business continuity plans, and outlines the process of recovery plan development, implementation, and review.
108 Information Security Requests to Access User Content
The Information Security Requests to Access User Content Policy provides direction for electronic messages containing WashU Confidential and/or Protected Information, access to faculty and staff electronic information, and the process for notifying, identifying, collecting, and retaining electronic information relevant to requests from the Vice Chancellor and General Counsel.
109 Information Security Incident Reporting, Response, and Recovery
The Information Security Incident Reporting, Response, and Recovery Policy outlines the process for reporting and handling threats to WashU information, infrastructure, systems, network segments and resuming operations after an incident.
110 Information Technology Change Control and Management
The Information Technology Change Control and Management Policy details the processes the university uses to maintain the integrity of information assets (e.g., hardware, software, firmware) throughout their lifecycles. This process includes planning for, developing, testing, and documenting changes, training personnel, and communicating changes to the WashU community.
111 Information Security Software Development, Management, and Administration
The Information Security Development, Management, and Administration Policy outlines the OIS process for assessing the security of enterprise applications and services, contracts with third-party providers, and the readiness of third-party provider response and recovery plans.
112 Information Security Acceptable Use
The Information Security Acceptable Use Policy provides direction and support for the appropriate use of computer systems, networks, and information at WashU.
113 Information Security Encryption
The Information Security Encryption Policy describes the practices WashU uses to protect the integrity and confidentiality of information that is stored, transmitted, transferred to portable media, and sent through messaging systems and entities external to the university.
114 Information Security Exception
The Information Security Exception Policy provides a well-defined approach to the review of exception requests for published WashU Information Security policies, standards, and guidelines.
115 Notice of Monitoring and Information Security Investigative Practices
The Notice of Monitoring and Information Security Investigative Practices informs the WashU Community of 1) the automatic generation and collection of data during routine information security operations, 2) the examination of targeted data during incident investigations, and 3) OIS practices for protecting the privacy and confidentiality of these data.
Policy Compliance
The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance could lead to disciplinary action as determined by management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct.
Internal Audit will independently review and assess compliance with this policy, reporting findings and recommendations to senior management and the Board of Trustees.
Related Policies, Standards, and Guidelines
Standard 200: Information Security Classification, Labeling, and Handling
Standard 202: Information Security Access Control
References
National Institute of Standards and Technology (2018) Cybersecurity Framework
National Institute of Standards and Technology (2020) Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations, Rev. 5
Policy Review
This policy will be reviewed by the OIS at a minimum of every three years.
Policy Number and Title: 100 Information Security Program Policy
Owner: Office of Information Security
Approved By: Cyber Security Executive Advisory Committee
Original Approval Date: November 17, 2023
Current Version Publication Date: April 18, 2024
1 Note that the Data Governance Policy defines similar roles, which may have different responsibilities.