School of Medicine & Public Health – User Account Management

Layout for printing
Policy Number:
SMPH-6020
Old Policy Number:
60.20
Responsible Office:
SMPH Cybersecurity

School of Medicine and Public Health (SMPH) Policy

Rationale/​Purpose:

The School of Medicine and Public Health (SMPH) is committed to maintaining the privacy, confidentiality, and security of university data. This policy supports a comprehensive governance, risk, and compliance (GRC) program and serves to be consistent with information security best practices associated with organizational information security management. This policy establishes requirements of necessary controls and processes supporting the application of user account management for all SMPH information systems. It supports the confidentiality, integrity, and availability (CIA) of SMPH information systems and university-owned data.

Definitions:
Confidentiality, integrity, and availability (CIA)
  • Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
  • Integrity: Guarding against improper information modification or destruction, which includes ensuring information non-repudiation and authenticity.
  • Availability: Ensuring timely and reliable access to and use of information.
Data
Information, whether electronic or hard copy, that is collected, stored, transferred, or reported for any purpose. 
Data custodian
A term describing a UW System, UW–Madison, or SMPH employee who has been given formal responsibility for the security of an asset or the data hosted on the asset. It does not mean that the asset belongs to the employee in a legal sense.
Default account
A pre-existing account created by the manufacturer or vendor.
User account
An account that is under the control of a specific individual and is not accessible to others. This is a user-interactive account.
Scope:

This policy applies to all SMPH departments, centers, and institutes.

Policy:
  1. Access to university-owned data must be restricted by the creation of user accounts that limit access to those individuals who are authorized to change and/or view the data to carry out the duties of their job. Each user must be assigned a unique User Login ID.
  2. All university-owned data must only be accessed by user accounts defined by this policy and access controls appropriate for the characteristics of the data.
  3. Documented processes must exist involving the delegation of authority throughout the user account creation, modification, and deletion process. These processes need to be at each organizational level that is providing user account management. Only valid sources, such as appropriate supervisory or HR personnel, are authorized to request the creation, change, or termination of a user account. The person who authorizes the change must be different from the person who implements the change.
  4. Formal documentation establishing a user account list and role-based access details for each account must be maintained and periodically reviewed. The person(s) responsible for creating user accounts and/or data custodians are responsible for creating, approving, and maintaining documentation with regards to role-based access at their organizational level.
  5. Temporary user accounts must adhere to this policy, including having documentation that defines a beginning date, end date, and reason for creation. This documentation must be retained for a minimum of six years from its creation or the date it was last in effect, whichever is later.
  6. The appropriate Information Technology (IT) staff must be notified of any change in status of any user with an account where their access rights may be affected, including their right to hold an account.
  7. User accounts must be terminated in accordance with UW System, UW–Madison, and SMPH policies. The IT termination process will start within one business day of receipt of a valid termination notification from a valid source, such as appropriate supervisory or Human Resources (HR) personnel. The person who authorizes the change must be different from the person who implements the change.
  8. User accounts and their access must be reviewed at least every year or at any major system change.
  9. If a user account is required for a third party, it must adhere to this policy, as well as other UW System, UW–Madison, and SMPH policies.
  10. Periodic scans for inactive user accounts must be performed at least annually and appropriate action must be taken, including validation and verification of authenticators’, groups’, and individuals’ roles and responsibilities. It is highly recommended that this be completed every 90 days as suggested by the Center for Internet Security (CIS).
  11. All user accounts must have logs that monitor the use of accounts and include, at a minimum, history of creation, modification, login attempts, and deletion. These logs should be kept for a minimum of six years, whenever possible.
  12. Password controls must meet or exceed UW System and UW–Madison password and authentication policies.
  13. Each user account must have only one uniquely identifiable user whenever possible.
  14. Multi-factor authentication must be used whenever available.
  15. If a user believes their account has been compromised, they are required to immediately report the incident to SMPH Cybersecurity..
  16. Default accounts must be disabled or removed whenever possible. When not possible, compensating controls should be considered, such as changing the default password.
  17. This policy shall be reviewed/revised on a defined schedule as set forth by SMPH.  
Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:
External References:

Policy Administration

Approval Authority:
Dean, School of Medicine and Public Health
Policy Manager:
SMPH Chief Information Security Officer
Contact:
SMPH Chief Information Security Officer -- Amy Diestler, adiestler@wisc.edu, (608) 263-4623
Effective Date:
10-01-2019
Date Issued:
10-01-2019
Revised Dates:

01-14-2020, 08-26-2019, 12-20-2021, 04-24-2025

Reviewed Dates:

04-24-2025

Retrieved:
06-13-2025 10:11:50