Statement of Policy

Washington University in St. Louis (WashU) is committed to conducting all university activities in compliance with all applicable laws, regulations and university policies. WashU has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.

Objective
Establish a common methodology and organized approach to Information Security risk management whether based on regulatory compliance requirement or a threat to the university.

Scope
The information security risk management process covers all administrative, physical, technical process that enable and govern protected and confidential electronic information whether created, stored (on site or externally hosted), processed or transmitted by WashU faculty, staff, students and supporting infrastructure.

Risk Governance
Leadership shall steer the institution towards actions that ensure cyber risk taking activities are aligned with the institution’s capacity to with stand losses and its missions of education, research and healthcare. It will create a balance between the risk presented to the university and its ability to conduct its operations.

Policy
WashU Information Security Office recognizes the university is continually exposed to internal and external risks. WashU Information Security office (ISO) is committed to an ongoing risk management process to protect WashU information, assets and its ability to perform its mission.

The ISO will develop and maintain an Information Security Risk Management Process to frame, assess, respond and monitor risk. Guidance for this process will be based on the International Organization for Standardization, ISO27001, ISO27005, ISO31000 frameworks and specific security regulations e.g. HIPAA, PCI-DSS, FERPA, etc. The risk management process will be designed to assist WashU maintain compliance with regulatory requirements, federal and state and local laws. Refer to the Information Security Risk Management Process for instructions.

Risk management will involve the entire WashU community. The ISO will engage with our stakeholders, workforce members, departments and schools to increase awareness and communication of risk and to identify methods to integrate risk management in university culture, events, projects, processes, strategic and operational planning. Expectations for all workforce members will be open, clear and transparent.

The ISO will identify, categorize, prioritize and report risks based on the probability and potential impact to the environment if confidentiality, availability and / or integrity is compromised. The risk evaluation will be uniform and consistent for WashU departments and schools. Dependencies for departments and school will also be included in the risk evaluation.

Risk Register
The Risk Register is currently comprised of a series of unrelated spreadsheets across a combination of administrative and academic units and risk types.

The CISO is responsible for maintaining the risk register.

The purpose of the Risk Register is to consolidate all information about risk is into a central repository. This allows risk management participants to use a single resource to obtain the status of the risk management process.

The risk register shall comprise the following minimum components:

Date:

The date that risks are identified or modified. Optional dates to include are the target and completion dates.

Risk Number:

A unique identifying number for the risk

Assessment ID:

Unique Identifier from risk assessment reports that identified the risk

Risk Description:

A brief description of the risk, its causes and its impact

Existing Controls:

A brief description of the controls that are currently in place for the risk

Consequence:

The consequence (severity or impact) for the risk

Risk Ranking:

A priority list which is determined by the relative ranking of the risks by their qualitative risk score

Risk Mitigation Strategy:

The action which is to be taken to reduce the risk

Risk Owner:

The person who has the responsibility for the risk, manages the risk mitigation efforts and the risk response if the risk occurs

Roles and Responsibilities

Roles

Responsibilities

Board of Directors Audit Committee

  • Presented annual risk update

Executive Leadership

  • Approves Capital Expenditures for Information Security
  • Communication Path to Deans and Senior Faculty

CIO

  • Sponsors the ISO to ensure the information security risk process is followed for university activities, processes and projects

CISO

  • Will maintain the risk register
  • Communicate information security risks to Executive Leadership
  • Will report annually to university leadership on risks that need to be addressed to bring risk to acceptable level

Information Security Office

  • Responsible for conducting risk assessments, documenting the identified threats and the likelihood of occurrence.
  • Develop policy, procedure and solutions to mitigate identified risk to an acceptable level.

Internal Audit

  • Conduct sample audits to ensure compliance to information security policies and risk mitigation efforts

School & Departmental Stakeholders

  • Responsible for the implementation of risk mitigating controls and ensure they are properly maintained

Employees

  • Acting at all times in a manner which does not place at risk the health and safety of themselves, other person in the workplace, and the information and resources they have use of
  • Helping to identify areas where risk management practices should be adopted
  • Taking all practical steps to minimize the University’s exposure to contractual and regulatory liability.

Reporting
The ISO will use a risk log or register to assist with documenting the identified risks and their status.

The Chief Information Security Officer (CISO) will deliver a risk management report annually to the Board of Director Audit Committee. The report will provide a view of the strategic and operational risks identified and any steps taken to mitigate the risk.

Response
The appropriate university response will be based upon identified risk tolerance levels – remediate, mitigate, transfer, accept or avoid. Plans will be developed and response to the risk will be assigned to the department or school to take the steps to reduce risk to an acceptable level. Cooperation from all schools and departments will be required to reduce risk in the WashU environment. These steps will be monitored, tracked in the risk register, tested and reported to senior leadership.

Risk Management Performance
Performance will be identified and measured by
• The reduction or risks reported quarterly
• Completion and reporting of reviews
• Compliance with regulation
• Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented
• Risk assessments completed for all university events and projects

Policy Review
Risk management will be an ongoing process. The risk management policy and process will be reviewed annually and if necessitated by regulatory or legislative changes.

Related Documents
Risk Management Plan
Risk Assessment Process

Title: Information Security Risk Management Policy
Version Number: 2.0
Creation Date: November 27, 2007
Applicability: Protected and Confidential
Reference Number: 01.03
Status: Final
Revision Date: December 6, 2016
Policy Owner: Information Security Office