Statement of Policy
Washington University in St. Louis (WashU) is committed to conducting all university activities in compliance with all applicable laws, regulations and university policies. WashU has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
The policy and associated guidance provide a well-defined and organized approach for compliance with identified security controls.
This policy is applicable to all WashU systems and network segments.
The audience for this policy is IT users with elevated permissions.
WashU faculty, staff and students will need to be aware of this policy. This also applies for all other agents of the university with access to WashU information and network for contracted services. This includes, but not limited to partners, affiliates, contractors, temporary employees, trainees, guests and volunteers. The titles will be referred collectively hereafter as “WashU community”.
WashU executive management and governance boards require all personnel, departments, and schools to ensure sensitive information used and held by the University is protected to assure the confidentiality, integrity and availability.
The Information Security Office (ISO) will review and identify the applicable security frameworks – International Organization for Standardization, National Institute of Standards and Technology (NIST) Security Controls (SP800-53) and other identified industry standards to be applied within WashU departments and schools. Controls will be assigned to create protection levels within the infrastructure commensurate with risk. Control assignments will be based on the information classification – (protected, confidential and public) and system classification (regulated, business, research, academic) of the information created, hosted or transmitted within the infrastructure.
The ISO will identify the controls the departments and schools will need to implement, develop process, and document for compliance.
The ISO will measure the compliance to this policy through various methods, including, but not limited to – reports, internalexternal audits, and feedback to the policy owner. Exceptions to the policy must be approved by the ISO in advance. Non-compliance will be addressed with management, Area Specific Compliance Office, Human Resources or the Office of Student Conduct.
Information Classification Policy
System Classification Standard
Control Zone Standards
This policy will be reviewed at a minimum every three years.
Title: Information Security Controls Policy
Version Number: 1.0
Reference Number: PL-01.05
Creation Date: March 6, 2018
Approved By: Security and Privacy Governance Committee
Approval Date: June 1, 2018
Scheduled Review Date: March 1, 2022
Revision Date: February 26, 2019
Revision Approval Date: March 15, 2019
Policy Owner: Information Security Office