The Office of Information Security (OIS) supports WashU’s mission of excellence in teaching, research, and patient care by assessing the security of the tools our community uses every day to do our work. Faculty and researchers often have specific needs for secure storage and communication services and unique needs for tools that aid student engagement, data collection and analysis, and many other functions specific to teaching and research demands. The OIS is here to help our community find and use the most secure tools to do the job!
Tools and services that are new to the university need to undergo a risk assessment by the Governance, Risk, and Compliance team. In the assessment, the team examines the types of data used with the tool or service, what data the vendor will access, where the data will be stored, whether the data are encrypted, and several other security matters.
The GRC conducts these thorough security reviews to protect the university and to protect you—your data, the privacy of your students and research participants, and your reputation as a professional who knows how to handle data appropriately. There are no upsides to lax security for anyone. The OIS and the WashU community are allies in the quest to advance knowledge while protecting our work, data, resources, and people from security risks.
Confidential and protected information needs special care when stored or transmitted, and we have special tools that can help. The OIS has already vetted the tools we use day in and day out for storage and communication. For example, WashU Research Data Storage, WUSTLBox, OneDrive, and SharePoint are approved for use with protected health information (PHI), personally identifiable information (PII), human resources (HR) data, legal data, and financial data. For communications, Zoom is approved for PHI, but Teams is not. For surveys, REDCap is approved for use with protected data, but Qualtrics is not approved for use with PHI or PII. The Secure Storage and Communication Services page is your guide to which tool should be used with which kind of data. Refer to this page whenever you have a question about how to handle your data securely.
Researchers and faculty teaching courses in research ethics and methods will find helpful information and resources in the Research tab on the OIS website. The Research tab includes a glossary of information security and research terms and discussions of information security concepts such as confidentiality, integrity, and availability of data, data classification, and research data security.
Finally, faculty and researchers adopting new technologies to engage their students or research participants may find that they need a security assessment of the technology before they can begin using it. Our Forms page has everything you’ll need! If the Institutional Review Board directs you to the OIS after reviewing your proposal, you’ll need to complete the IRB Security Review Form so that we can conduct a security review of your study and provide helpful recommendations for securing your data. The form and step-by-step guidance are available on our IRB Security Review page. If you’re trying to adopt new technology for your department or courses, you’ll likely need a security assessment first. Your department will need to complete our IT Procurement Vendor Intake Form.
The OIS has a form and a process to meet practically every need, and we are continuously working to improve our operations to better serve the WashU community. Not sure which form or service is right for you? Reach out to us at infosec@wustl.edu, and we’ll point you in the right direction.
We are here to help you achieve your goals while protecting the people, data, and systems that make us WashU!