Statement of Policy

Washington University in St. Louis (WashU) is committed to conducting all university activities in compliance with all applicable laws, regulations and university policies. WashU has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.

Applicability
Protected and confidential information created, stored or transmitted by WashU.

Objective
This policy covers a well-defined and organized approach for compliance with security controls.

Policy
WashU executive management and governance boards require all personnel, departments and schools to ensure sensitive information used and held by the University is protected to assure the confidentiality, integrity and availability.

The Information Security Office (ISO) will review and identify the applicable National Institute of Standards and Technology (NIST) Security Controls (SP800-53) and other identified industry standards to be applied within WashU departments and schools.  Controls will be assigned to create protection levels within the infrastructure commensurate with risk.  Control assignments will be based on the information classification – (protected, confidential and public) and system classification (regulated, business, research, academic) of the information created, hosted or transmitted within the infrastructure.

The ISO will work with the departments and schools to identify the controls they will need to implement.  The departments and schools will need to develop processes and required documentation to be compliant with the controls.

Reference
https://www.nist.gov/
Information Classification Policy
System Classification Standard
Control Zone Standards

Title: Information Security Controls Policy
Version Number: 1.0
Creation Date: 03/06/2018
Approval Date: 06/01/2018
Applicability: Protected and confidential
Reference Number: 01.05
Status: Final
Policy Owner:  Information Security Office