The School of Medicine and Public Health (SMPH) is committed to maintaining the privacy, confidentiality, and security of university data. This policy supports a comprehensive governance, risk, and compliance (GRC) program and serves to be consistent with information security best practices associated with organizational information security management. The purpose of this policy is to set forth requirements supporting account management capability including expectations by which user accounts are created and managed.
This policy applies to all SMPH departments, centers, and institutes.
This policy establishes requirements of necessary controls and processes supporting the application of user account management for all SMPH and departmental information systems. It supports the confidentiality, integrity, and availability (CIA) of departmental and SMPH information systems and university-owned data. This policy maintains that:
45 C.F.R. § 164.308 Administrative safeguards
45 C.F.R. § 164.310 Physical safeguards
45 C.F.R. § 164.312 Technical safeguards
45 C.F.R. § 164.314 Organizational requirements
45 C.F.R. § 164.316 Policies and procedures and documentation requirements
Center for Internet Security (CIS) Critical Security Controls
NIST SP 800-63 Digital Identity Guidelines
UWS Administrative Procedure 1030.A: Information Security: Authentication Standard
UWS Administrative Procedure 1031.B: Information Security: Data Protections
UWS Policy 1000: Information Security: General Terms and Definitions
UWS Regent Policy Document 25-3: Acceptable Use of Information Technology Resources
01-14-2020, 08-26-2019, 12-20-2021