The School of Medicine and Public Health (SMPH) is committed to maintaining the privacy, confidentiality, and security of university-owned data. This policy supports a comprehensive governance, risk, and compliance (GRC) program and serves to be consistent with information security best practices associated with organizational information security management. The purpose of this policy is to set forth technical and legal requirements and expectations related to user acknowledgment of access to SMPH information systems or university-owned data prior to accessing such systems or data. This policy should be used in conjunction with SMPH-6020 User Account Management Policy and related university policies.
This policy applies to all SMPH departments, centers, and institutes.
This policy establishes requirements of necessary controls and processes supporting the display of a defined system-use notification message or banner to users prior to granting access to information system resources. It supports the confidentiality, integrity, and availability (CIA) of departmental and SMPH information systems and university-owned data. This policy maintains that:
The following message is an example that outlines the expectations regarding access to SMPH information systems and their data:
"Authorized user access only. You are about to access a protected information system containing university-owned data. Actual or attempted unauthorized access and use of this computer system may result in disciplinary action, criminal, and/or civil prosecution. We reserve the right to view, monitor, record, and audit all activity on this system without notice or permission. Any information obtained by such actions taken is subject to review and release to law enforcement organizations for investigation or prosecution of unauthorized criminal activity on the system in accordance with federal law, state statute, and university policy. If you are not an authorized user of this system, exit the system at this time. By clicking ‘ok’, you agree to and accept these conditions."
45 C.F.R. § 164.308 – Administrative safeguards
45 C.F.R. § 164.310 – Physical safeguards
45 C.F.R. § 164.312 – Technical safeguards
45 C.F.R. § 164.314 – Organizational requirements
45 C.F.R. § 164.316 – Policies and procedures and documentation requirements
UWS Policy 1000: Information Security: General Terms and Definitions
UWS Regent Policy Document 25-3: Acceptable Use of Information Technology Resources
01-15-2020, 08-26-2019, 12-20-2021