Policies

Access to Faculty or Staff Email, Files, or Systems Policy
The policy and associated guidance provide a well-defined and organized approach for access to faculty or staff electronic information or systems at WashU.

Application Security Policy
The policy and associated guidance provide an organized approach for all instances and stages of development initiated for WashU departments or schools. Based on the project requirements applications are developed in-house, with a third party, or commercial off the shelf (COTS). This policy will cover all instances to ensure the appropriate security controls are implemented for applications developed for WashU.

Computer Use Policy
This policy and associated guidance provide direction for appropriate use of computer systems, networks, and information at WashU.

Data Center Policy
The policy and associated guidance provides an outline of the physical and logical security controls needed to reduce the risk of unauthorized access or use of systems in a WashU data center.

Electronic Messaging Security Policy
The policy and associated guidance provide direction for electronic messages (i.e. email, chat, and other electronic messages) containing WashU confidential and/or protected information.

Encryption Policy
The policy and associated guidance provide the practices WashU will utilize to protect the integrity and confidentiality of information stored, transmitted, transferred to portable media, and sent through messaging systems to entities external to the university.

Exception Policy
The policy and associated guidance provide a well-defined approach to review exception requests for published WashU Information Security policies, standards, and guidelines.

Incident Reporting Policy
The policy and associated guidance provide a well-defined, organized approach for reporting any potential threat to confidentiality, availability, and/or integrity of the computer equipment or information at WashU.

Incident Response Policy
The policy and associated guidance provide a well-defined and organized approach for handing any potential threat to computers and data.

Information Classification Policy
The policy and associated guidance provide the identification and classification of information created, stored, and/or transmitted.

Information Security Controls Policy
The policy and associated guidance provide a well-defined and organized approach for compliance with identified security controls.

Information Security Policy
The policy and associated guidance provide management direction and support for the information security program in accordance with university requirements, relevant laws, and regulations.

Information Security Risk Management Policy
The policy and associated guidance provide a common methodology and organized approach to Information Security risk management whether based on regulatory compliance requirement or a threat to the university.

Information Security Training and Awareness Policy
The policy and associated guidance provide an organized security awareness and training program that will inform WashU of relevant and recent security topics.

Infrastructure Security Policy
The policy and associated guidance provide the WashU computing community directives to help ensure integrity, confidentiality, and availability of information and provide a safe computing environment. All network assets, systems, computing devices, services, and operating personnel will be in scope for this policy. This includes network infrastructure components, network management and service systems, WashU faculty, staff, and students.

Litigation Hold Policy
The policy and associated guidance provide a well-defined approach to notify, identify, collect, and retain electronic information relevant to requests from the Office of the Executive Vice Chancellor and General Counsel (OGC) for preservation or collection of electronic information.

Managing Access Policy
The policy and associated guidance provide a well-defined and organized approach to facilitate access being granted, managed, and reviewed based on the roles of each computer user while remaining compliant with regulatory mandates.

Media Reuse and Disposal Policy
The policy and associated guidance provide requirements for reuse or disposal of WashU systems containing protected or confidential information.

Mobile Device Security Policy
The policy and associated guidance provide methods of protection for all mobile computing and storage devices that contain or access protected or confidential information resources at WashU.

Password Policy
The policy and associated guidance provide direction for authentication to WashU systems and network.

Personal Device Security Policy
The policy and associated guidance provide requirements for using personal devices to access, create, host, and transmit confidential and/or protected information.

Roles and Responsibilities Policy
This policy and associated guidance establish the roles and responsibilities within WashU, which is critical for effective communication of information security policies and standards. Roles are required within the organization to provide clearly defined responsibilities and an understanding of how the protection of information is to be accomplished. Their purpose is to clarify, coordinate activity, and actions necessary to disseminate security policy, standards, and implementation.

Vulnerability Management Policy
This policy and associated guidance cover a well-defined and organized approach for vulnerability management to reduce infrastructure risks and integrate with patch management. To ensure confidentiality, integrity, and availability of WashU systems Office of Information Security (OIS) and Information Technology (IT) will develop a documented vulnerability management process for the efficient and effective assessment and mitigation of IT infrastructure risks.