Statement Of Policy

Washington University in St. Louis (WashU) is committed to conducting all university activities in compliance with all applicable laws, regulations and university policies. WashU has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.

Objectives
This policy and associated guidance provide direction for appropriate use of computer systems, networks, and information at WashU.

Applicability
This policy is applicable to systems connected to any WashU network segment. 

Audience
The audience for this policy is all WashU faculty, staff and students. It also applies for all other agents of the university with access to WashU information and networks for contracted services. This includes, but not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers. The titles will be referred collectively hereafter as “WashU community”.

Roles & Responsibilities

Policy
This policy seeks to protect the integrity of the WashU information systems themselves: the computing or networking resources need to be accessible and secure for appropriate use consistent with the mission of WashU; the usurpation of these resources for personal gain, commercial gain, or without authorization is unacceptable. 

To manage systems and networks at WashU, comply with regulatory requirements and enforce the various Information Security Policies, WashU may log, review, retain, prohibit, or in any manner utilize any data or information stored or transmitted via WashU assets. 

Relationship to WashU Policies
All WashU policies listed below applies to information technology as well as to other forms of communication and activity. In addition, these policies are fully recognized by the WashU Computer Use Policy. All users are responsible for being aware of and complying with regulations and Information Security Policies. Use of WashU systems or networks that violates any of these policies will be investigated and sanctions may be applied, including termination. 

Code of Conduct

Intellectual Property Policy

Freedom of expression / Freedom from Harassment

Social Media Policy

WashU students will reference the Student Technology Services Network Use Policy. When in a faculty or staff position, students are expected to adhere to department and / or school policies for network use.

Use of WashU Resources
WashU resources are shared resources available to further educational, research, medical, service, and university-related activities and missions. The WashU community should abide by federal, state, and city laws, regulations and university policy. 

WashU does not monitor the content of web pages or other online communications and is not responsible for the views expressed by individual users. 

The personal use of WashU systems and networks should be limited in nature, scope, and appropriateness. 

While the privileges and responsibilities vary between schools and departments, the use of university resources for personal commercial gain or for partisan political purposes (not including the expression of personal political views, debate, and the like) is inappropriate and possibly illegal. 

Individual university computer systems and departments have varying access requirements and resources. Departments or schools may implement additional computer use guidelines as necessary. Copies of such additional computer user guidelines must be provided to the Chief Information Security Officer (CISO). 

Privacy
Although respect for privacy is fundamental to the university’s policies, understand that almost any information can in principle be read or copied; that some user information is maintained in system logs as part of computer system maintenance; that the university must reserve the right to examine computer files, and that, in rare circumstances, the university may be compelled by law or policy to examine even personal and confidential information stored, transmitted or accessed on university computing facilities. 

Access to WashU Secure Systems
WashU provides access to internal and external system resources. Use of these resources may be governed by various state and/or federal regulatory requirements. All authorized users with access to protected information and systems are expected to be aware of and comply with the regulatory requirements that govern the use of the data as well as the resource. Guidance along with the specific regulatory requirements is provided at WashU through the University’s Area Specific Compliance Offices. 

WashU Community members should be aware of the university’s computer and data classification guidelines prior to utilizing external or personal computing resources through the WashU system. These guidelines are available on the CIO.wustl.edu and informationsecurity.wustl.edu websites. 

Authentication
WashU community members are responsible for protecting their account credentials (user IDs and passwords). Users should not share credentials used for authentication and access to WashU systems and networks verbally or in electronic or written communications. Unique credentials are required for access WashU systems and networks.

Inappropriate access of WashU resources may significantly impact education, research, and patient care and other university activities. 

Personal devices
All devices used to access WashU data or networks must conform to all WashU policies and device protections based upon data classification accessed, stored, or transferred from the device. It is the responsibility of the device owner to secure the system or data. Users may contact the department or school help desk to ensure their personal devices conform. 

Misuse of resources
WashU community members are responsible for all activity involving their WashU accounts and are granted privileges and responsibilities with these accounts. These privileges are not to be used to violate any university policy, or city, state, or federal laws or regulations. Access may be revoked in cases of misuse or threat to WashU systems and networks. 

WashU community members are not to use the WashU systems or networks to cause harm or perform illegal activities including, but not limited to the following: 

  • Cause harm to individuals, university data, university network,
  • Disable systems, programs, or software
  • Email spam or harassment
  • Modify or destroy data integrity
  • Copyright infringement
  • Malicious computer activity

Circumventing WashU policies to compromise the security of an account, system, devices, network, or WashU partner will not be tolerated. 

WashU Rights 

Access 
WashU, through the appropriate systems administrator or management request, may deactivate a user’s privileges when deemed reasonably necessary to enhance or preserve the confidentiality, integrity, or availability of the WashU systems or networks. 

Monitoring 
WashU does not monitor individual system or network usage. Daily system processing and maintenance will log and backup the data. The individual right to privacy may, when personal files may need to be accessed for troubleshooting purposes or to investigate a reported incident, be overridden by authorized personnel to protect the integrity of the university’s computer systems. 

Security 
WashU reserves the right to enforce security controls to preserve the confidentiality, integrity, or availability of the WashU systems or networks. These controls may affect the storage, transmission, and access of confidential and protected information in accordance with WashU policies, regulations, state, and federal laws or regulations.

WashU reserves the right to restrict access to internal or external resources based upon risk to the university systems or networks. 

Reporting 
WashU community members are responsible for reporting concerns or possible violations of this policy. Email infosec@wustl.edu to report concerns or possible violations. Concerns or violations can also be reported anonymously on the university’s hotline at (314) 362-4998. 

Investigation 
Violations of this policy may lead to an investigation involving but not limited to designated representatives for WashU community, Human Resources, General Counsel, Information Security, Internal Audit, the HIPAA Privacy Office, or other Area Specific Compliance Office. 

Sanctions 
Violations of this policy may lead to disciplinary action up to and including termination under either the Human Resources corrective action process or the HIPAA Sanction policy. 

For questions about this policy, contact your school, department, or unit system manager or email Kevin Hardcastle, Chief Information Security Officer. 

Policy Compliance
The Information Security Office (ISO) will measure the compliance to this policy through various methods, including, but not limited to – reports, internalexternal audits, and feedback to the policy owner.  Exceptions to the policy must be approved by the ISO in advance. Non-compliance will be addressed with management, Area Specific Compliance Office, Human Resources or the Office of Student Conduct.

Related Policies
None

Reference
None

Policy Review
This policy will be reviewed at a minimum every three years. 

Title: Computer Use Policy
Version Number: 4.0
Reference Number: PL-01.01
Creation Date: May 31, 1997
Approved By: Security and Privacy Governance Committee
Approval Date: October 10, 2016
Status: Final
Scheduled Review Date: March 1, 2022
Revision Date: February 26, 2019
Revision Approval Date: March 15, 2019
Policy Owner: Information Security Office