The Information Security Office (ISO) will review and identify the applicable security frameworks – International Organization for Standardization, National Institute of Standards and Technology (NIST) Security Controls (SP800-53) and other identified industry standards to be applied and tailored within Washington University (WashU) departments and schools.

Controls will be assigned to create protection levels. Control assignments will be based on the information classification – (protected, confidential and public) and system classification (regulated, business, research, academic) of the information created, hosted or transmitted within the universities infrastructure.

NIST SP800-53 Control Families

Access Control (AC)

Awareness and Training (AT)

Audit and Accountability (AU)

Security Assessments (CA)

Configuration Management (CM)

Contingency Planning (CM)

Identification and Authentication (IA)

Incident Response (IR)

Maintenance (MA)

Media Protection (MP)

Physical and Environmental Protection (PE)

Planning (PL)

Personnel Security (PS)

Risk Assessment (RA)

System and Services Acquisition (SA)

System and Communications Protection (SC)

System and Information Integrity (SI)

Laws and Regulations

HIPAA (Health Insurance Portability and Accountability Act) protected health information exists in three formats within this environment.

1.     Designated Record Set stored within the Physicians Billing and Electronic Medical Record Systems and is the official medical record for our clinical patients.  This is the focus for applying for Meaningful Use and all risks to this environment will be documented under a Meaningful Use Risk Section of this document.

2.     Subsets of the designated record that is used by the administrative functions to assist with billing, financial planning and quality assurance and quality improvement processes and or feeds to our inpatient partner BJC.

3.     Datasets that are built in the research environment using inclusion criteria extracted from the medical record and regulated by the Human Rights Protection Office.

FERPA (Family Educational Rights and Privacy Act) is a federal law intended to protect the privacy of student education records accumulated from early childhood through college.

PCI-DSS (Payment Card Industry – Data Security Standards) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

PII (Personally Identifiable Information) 48 State Privacy laws vary in notification and severity but mandate the protection of information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context including social security numbers and other financial related information.

CUI (Controlled Unclassified Information) – Some government information is available to the public. Classified information is defined by Executive Order 13526 (issued December 29, 2009) or the Atomic Energy Act of 1954 and is required to have classified markings and protection against unauthorized disclosure. CUI is information that is not publicly available, does require safeguarding or dissemination controls, but is not classified.  Most Government Agencies through their research contracts often specify this information be protected per NIST SP800-171.

Related Forms

There are no forms related to this service.