The Office of Information Security has identified a phishing threat in which the sender indicates they have compromising information about the recipient, offering as proof a plaintext password that may look familiar to the recipient. These passwords are NOT an indication that the sender has access to any special information about you. They are simply […]
Profile: Betsy Ball, Information Security Architect
Please join us in welcoming Betsy Ball to the Office of Information Security’s team! Betsy comes to us with more than 30 years of IT experience, including work in user support as well as server, network, and firewall administration. In her role at WashU, she will serve as an Information Security Architect, working with the […]
Workplace Security
October is National Cybersecurity Awareness Month (NCSAM), and we at the Office of Information Security, along with our partners at Protective Services, are working to ensure the security of your personal and professional data and valuables. However, security is a shared responsibility, and we require your cooperation and support. “Office creeper” is the term of […]
NCSAM: Be in the Know About Cybersecurity
National Cybersecurity Awareness Month (NCSAM) is underway! Our month of activities began with the annual Shred IT event on the School of Medicine Campus. On Tuesday, October 1, members of our community brought 1,025 pounds of paper and 4,457 pounds of electronics to the School of Medicine campus to be securely destroyed and recycled. This […]
National Cybersecurity Awareness Month: Shred IT
On Tuesday, October 1st, the Office of Information Security, Office of Sustainability, and Operations & Facilities Management will be hosting an e-waste recycling and confidential paper shredding event. This event is the first in a series of events sponsored by the Information Security Office and our partners in celebration of National Cybersecurity Awareness Month (NCSAM). […]
Security Controls
The Office of Information Security (OIS) will review and identify the applicable security frameworks – International Organization for Standardization, National Institute of Standards and Technology (NIST) Security Controls (SP800-53) and other identified industry standards to be applied and tailored within Washington University (WashU) departments and schools. Controls will be assigned to create protection levels. Control […]
A New Look for the Information Security Website
As we celebrate the new year and try to stick to those New Year’s resolutions, The Information Security Office (ISO) is excited to announce the launch of its new website! The new informationsecurity.wustl.edu is designed in a user-friendly format so you can learn about cyber security topics and quickly find information you need. Take some time this […]
October is National Cyber Security Awareness Month
October is National Cyber Security Awareness Month and the WashU Information Security Office (ISO) wants to take this opportunity to remind students, faculty and staff to be vigilant in protecting your personal information as well as university information. As the lines between our work and daily lives become increasingly blurred, developing habits and behaviors that […]
Security Alert: Office 365 Email Phishing on Campus – October 3, 2018
Risk: High Details: The Information Security Office has received reports of phishing emails purporting to be from BJC personnel, however, the email addresses are being spoofed and used against Wash U. The phishing samples have had infected DOC files attached referring to Outstanding Invoice or Balance Discrepancies. Action: Do not try to open any suspicious files you were […]
IRB Security Review
An institutional review board (IRB) applies research ethics in the review of proposed research. These boards review the research protocols and related materials of biomedical and behavioral research involving humans to assure appropriate steps are taken to protect the rights and welfare (physical and psychological) of humans participating in research studies. Federal regulations require IRB […]
HIPAA Privacy Information
Centered on your privacy Washington University health care providers respect the confidentiality of our patient’s health information by observing the highest standards of ethics and integrity. Our Notice of Privacy Practices describes your rights under HIPAA and how Washington University may use and disclose your protected health information. If you have not reviewed our Notice of Privacy Practices. […]
Information Security FAQ
Your Information
in·for·ma·tion /infərˈmāSH(ə)n/ noun facts provided or learned about something or someone Think of your personal information—such as social security numbers, credit card numbers, medical information—as the furniture in your house. Your passwords are the keys to that house. Just as you would never leave your house keys unattended or leave your front doors unlocked, you […]
Phishing Alert: Verified Duo Push Scam
Members of the WashU community are receiving fraudulent phone calls from criminals asking them to enter a three-digit code into the Duo app. What you should do The only time you should type in the three-digit code into Duo is if you are logging in for yourself. Do not enter a code given to you […]
Chance to Win $100 in Our Monthly Challenge
The Office of Information Security (OIS) is always looking for ways to improve your security and reward your participation in helping to secure WashU. Back by popular request, the InfoSec team is assigning the Inside Man as our training competition this April. The Inside Man is a soap opera-style training that covers critical cyber security […]
Scam of the Month: Outstanding Toll Amount
Road trip season is approaching, and the FBI has observed criminals impersonating road toll collection services via text message. While there is only one toll bridge in Missouri – the Lake of the Ozarks Community Bridge (for now) – many neighboring states operate toll roads. If you see a message like the one below, please […]
Summer Break Travel and Job-Hunting Tips
Summer break is right around the corner, and many in the WashU community will be traveling or looking for a summer job. Unfortunately, the devices we rely on for managing travel have also become targets for theft and cybercrime. Whether you are searching for a job or taking a trip, please protect yourself and the […]
Scam of the Month: DEA Impersonation Phone Call
According to Washington University School of Medicine Protective Services, the WUSM Physical Therapy department received a call from someone impersonating the DEA to steal personally identifiable information. In the call, they claimed to be an investigator from the DEA headquarters, saying that a nurse practitioner had reported fraud under their name, medical license number, and […]
The Deaf Lottery Scam
Back in his federal law enforcement days, WUSM’s Assistant Director of Investigations and Crime Prevention, Steve Manley, came upon an advance fee scam. An informant who operated a corner store in East St. Louis called him one afternoon. He told Manley a customer was sending large sums of money to Nigeria via Western Union. The caller […]
Thanks for Making the E-Waste Recycling Event a Success
On Tuesday, March 26th, the Office of Sustainability and Office of Information Security hosted their biannual electronic waste recycling and secure paper shredding event on the Danforth campus. Thank you to all who supported sustainability by securely recycling their electronic waste and confidential documents. The event was a huge success. In just two and a […]
Scam of the Month: RESEARCH ASSISTANT VACANCY FOR UNDERGRADUATE
The Office of Information Security has observed a trend in which criminals advertise a job while impersonating a Professor of Computer Science and Engineering. Impersonation is one of the most effective social engineering tactics used by scammers, and it can be particularly enticing if offered employment. If you see a message like the one below, […]
Data Classification
From an information security perspective, data classification is the categorization of data according to the severity of adverse effects should those data be disclosed, altered, or destroyed without authorization.
Scam of the Month: COVID-19 Variant Poses Risks in our University
The Office of Information Security has identified a trend in which criminals send members of our community false COVID-19 contact tracing emails with a malicious link. They hope a victim will click the link and give their WashU credentials. In this scam, hackers use a compromised email address from Brown University to send phishing emails. […]
Duo Exceptions
The DUO Two-Factor Authentication upgrade was deployed on November 20, 2023, to enhance and secure WashU systems and applications access. A smartphone or tablet with the Duo Mobile app installed is required to use this new and preferred verified push method of multi-factor authentication. There are circumstances where you might not be able to download […]
Retirement of Secure WUSM Infosec Bulletin
To simplify the critical messages you receive about information security at the university, the Office of Information Security is retiring the Secure WUSM Infosec bulletin. Instead, the content will now be published in this newsletter. That means there will be fewer university-wide emails! Additionally, we are folding Secure WUSM itself into the organization-wide CyBear Secure […]
Tips for Traveling and Shopping Safely This Holiday Season
With Black Friday and Cyber Monday behind us, it can be tempting to impulse buy any remaining discounted items. Before getting caught up in a “while supplies last” frenzy, remember that scammers capitalize on hasty decisions involving payment information. According to the Internet Crime Complaint Center’s (IC3) 2022 report, non-payment and non-delivery scams cost people more […]
Scam of the Month: Charity Scam
If You Sent Money to a Scammer Scammers often insist that you pay in ways that make it tough to get your money back. They prefer you wire money through a company like Western Union or MoneyGram, send cryptocurrency, use a payment app, or buy a gift card and give them the redemption code. Regardless of how you lost money to a scam, […]
Scam of the Month: Process has begun by our administrator
The Office of Information Security has identified a trend in which criminals send members of our community account termination emails containing a malicious link. They hope a victim will give their WashU credentials in a Google Form. In this scam, hackers use a legitimate WashU email address to send phishing emails. Victims who click the […]
Revised and Updated Policies 2023
The Washington University in St. Louis Office of Information Security supports education, research, and clinical care by protecting systems and data for everyone at our institution. Information security is essential to every member of our community, and we all share personal responsibility for ensuring the security of our systems. We continuously improve our systems and […]
Scam of the Month: Document Shared with You
The Office of Information Security has identified a trend in which criminals send members of our community a Google Document containing a malicious link, in hopes that a victim may give up their credentials. In this more elaborate scam, hackers posed as Adis Avila, who is not an individual who works at our university, sending […]
Phishing Alert: Credential Phishing via QR Code
How this Scam Works Members of the WashU community are being targeted by criminals using malicious QR codes to steal valuable and personal information. The QR codes targeting WashU credentials lead an unsuspecting victim to a fake WUSTL Key login page. If the victim enters any information on the malicious login page, they will unknowingly […]
Phishing Alert: Credential Phishing via Google Form
How this Scam Works Members of the WashU community are receiving fraudulent shared document emails that ask them to divulge their WUSTL Key and credentials in a Google Form. Victims receive a fraudulent email about a shared document from an email address outside of WashU: When a victim clicks the link in the email, they […]
Research Protocol
A research protocol is a detailed plan that outlines how a scientific study will be conducted.
Remote Access
Remote access refers to the ability to access a device or a network from any geographic location.
Chance to Win $100 in Our Monthly Challenge
The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]
Back to School Resources
Welcome back! We know you will be busy as the semester begins, so we have pulled together resources to help you with a variety of common security needs. See below for our roundup of guidance to help you get in the swing of the semester! Devices Device security is essential for protecting your privacy and […]
Scam of the Month: Geek Squad Customer Service
The Office of Information Security observes a trend in which criminals send a fraudulent order confirmation claiming the recipient will be charged almost $500. The criminals hope victims will call a phone number to refute the “purchase” and disclose their banking information. If you see a message like the one below, please do not interact […]
Chance to Win $100 in Our Monthly Challenge
The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]
Scam of the Month: Compromised Email
The Office of Information Security observes a trend in which criminals use a compromised email account to trick victims into divulging their WUSTL Key password. In this scam, criminals took over a legitimate email address from UT Health San Antonio and used it to send phishing emails. Victims who click on the phishing link are […]
Chance to Win $100 in Our Monthly Challenge
The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]
Scam of the Month: Sheriff Impersonation
The Office of Information Security observes a trend in which criminals impersonate the sheriff’s office over the telephone. These scammers claim you signed for a subpoena, are an expert witness, or are a juror and never showed up for court and then demand payment. Along with a false accusation, scammers may list your personal information […]
Chance to Win $100 in Our Monthly Challenge
The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]
Business Associate Agreement (BAA) Explained
If you work with Protected Health Information (PHI), you have probably heard mention of a business associate agreement. At WashU, it is essentially a contract between WashU and a business associate concerning the handling of PHI. Who is a Business Associate? It is a person or entity outside of WashU who creates, receives, maintains, or […]
Scam of the Month: DEA Impersonation
The Drug Enforcement Administration (DEA) is warning the public of a widespread fraud scheme where scammers impersonate DEA agents to extort money or steal personally identifiable information. DEA personnel will never contact members of the public to demand payment or sensitive information. No legitimate federal law enforcement officer will request cash or gift cards from […]
Policy Review and Approval Guidelines
To ensure WashU Office of Information Security policies, guidelines, standards, and procedures are relevant to university practices and government regulatory mandates.
Vulnerability Management Policy
This policy and associated guidance cover a well-defined and organized approach for vulnerability management to reduce infrastructure risks and integrate with patch management. To ensure confidentiality, integrity, and availability of WashU systems Office of Information Security (OIS) and Information Technology (IT) will develop a documented vulnerability management process for the efficient and effective assessment and mitigation of IT infrastructure risks.
Password Policy
The policy and associated guidance provide direction for authentication to WashU systems and network.
Media Reuse and Disposal Policy
The policy and associated guidance provide requirements for reuse or disposal of WashU systems containing protected or confidential information.
Managing Access Policy
The policy and associated guidance provide a well-defined and organized approach to facilitate access being granted, managed, and reviewed based on the roles of each computer user while remaining compliant with regulatory mandates.
Litigation Hold Policy
The policy and associated guidance provide a well-defined approach to notify, identify, collect, and retain electronic information relevant to requests from the Office of the Executive Vice Chancellor and General Counsel (OGC) for preservation or collection of electronic information.