Information Security Policies and Standards

Saint Louis University has put in place numerous policies and standards to ensure the security of faculty, staff and students' data and University information. For more information about these policies, please visit the Information Security Policies and Standards Google Site or contact the IT Security and Compliance team at

Information Security Policy Statements 

2.1 Information Security Organization
Appropriate organizational capability shall be maintained to create, promote and manage the Information Security policies which support data privacy compliance, industry regulatory compliance, network security, security operations, security incident handling and security awareness.

2.2 Information Security Management
The confidentiality, integrity and availability of University information must be protected according to data classification and applicable law when being handled and/or transmitted.

2.3 Access Management
Access to and use of information and business resources shall be controlled and administered based on verified identity and defined business and legal requirements.

2.4 Information Security Operations
All computer processing and information assets owned or leased by the University must be operated by persons with defined roles and responsibilities and administered using documented procedures in a manner that is both efficient and effective in protecting the University's information assets.

2.5 Systems Security
All University owned and/or managed computing devices must be securely configured in accordance with their intended use.

2.6 Network Security
Network designs and processes must be developed and utilized to restrict the path between network client workstations and University IT Resources to minimize opportunities for unauthorized use or access.

2.7 Application Security
Software development or implementation life cycle for purchased or internally developed applications must include appropriate security controls and audit capabilities to prevent the loss, modification, corruption or misuse of University information technology assets.

2.8 Risk Management
Plans shall be implemented and maintained that outline a process to define, identify, measure, report and manage IT risks.

2.9 Incident Management
All members of the University workforce are responsible for reporting any IT security related incidents by utilizing the University's incident response procedures.

2.10 Business Continuity and Disaster Recovery
Business continuity and disaster recovery plans shall be implemented and maintained in order to minimize business interruptions and quickly react and respond to them so as to return to normal operations.

2.11 Asset Management
A formal accounting of information resources (e.g. information assets, hardware, and software) shall be maintained while assets are being labeled, handled, stored and disposed of in an appropriate manner thus enabling protection of the confidentiality, integrity, and availability of such resources.