School of Medicine & Public Health - Information Technology Assets

Layout for printing
Policy Number:
SMPH-6025
Responsible Office:
SMPH Cybersecurity

School of Medicine and Public Health (SMPH) Policy

Rationale/​Purpose:

The purpose of this policy is to establish the minimum requirements for acquiring, managing, securing, inventorying, and retiring information technology (IT) assets within the School of Medicine and Public Health (SMPH). The policy strengthens protection of university-owned data, ensures compliance with University of Wisconsin–Madison policies and federal regulations, and creates a unified framework for IT asset lifecycle management across SMPH departments, centers, and institutes.

Definitions:
Authorized Information Technology (IT) Staff
SMPH IIT personnel whose duties include developing, managing, administering, or supporting IT systems and applications that generate, collect, store, maintain, transmit, or record SMPH and institutional data.
End of Life (EoL)
A device, operating system, or software product that no longer receives vendor updates.
Hardware IT Asset
Any physical device (e.g., desktops, laptops, servers, tablets, mobile devices, peripherals, removable media, Internet of Things devices) used to access, process, store, or transmit SMPH and institutional data.
Institutional Funds
Funds administered by UW–Madison and/or SMPH (e.g., departmental, discretionary, gift, program), UW Health funds when used to support SMPH-related purchases, UW Health-to-SMPH transfer funding (e.g., Medical School Transfer Funding) and sponsored project/grant funds.
Significant Change
Any modification to an IT asset that could reasonably affect its security or privacy posture.
Scope:

This policy applies to all hardware IT assets used to conduct SMPH-related business or to access, process, store, or transmit SMPH and/or university data. Examples include:

  • Devices purchased with institutional funds 
  • Physical and virtual desktops, laptops, servers, tablets, mobile devices, and peripherals
  • Any device with data-storage capability, regardless of cost
  • Network-connected or Internet of Things (IoT) devices deployed in SMPH environments

Personally owned devices are not considered SMPH IT assets and are not authorized substitutes for SMPH managed devices and should not be used for SMPH business.

Software, applications, browser extensions, cloud services, and personal cell phones are out of scope for this policy.

Policy:

  1. Vendor Review & Procurement

    1. IT asset requests for purchases must be submitted through the SMPH IT Service Management (ITSM) platform for purchase, review, and approval.
    2. All IT asset vendors must be reviewed and approved by authorized IIT staff prior to acquisition.
    3. Vendor reviews must follow supply chain risk practices aligned with NIST SP 800-53 Rev. 5.

  2. Ownership & Provisioning

    1. IT assets acquired with institutional funds remain property of SMPH and must be used solely for SMPH business purposes.
    2. SMPH faculty, staff, and students whose role requires access to SMPH systems or institutional data must be provisioned with at least one of the following:
      1. An SMPH-managed device
      2. Access to an SMPH-provided virtual desktop
    3. Individuals whose duties do not require access to SMPH systems or institutional data (e.g., roles limited to non-IT tasks) are not required to be provisioned with an SMPH-managed device or virtual desktop.
    4. All IT assets must be provisioned by Authorized IIT Staff before use and configured with required security controls as outlined in the SMPH Endpoint Standards.

  3. Use & Storage

    1. IT assets must be stored in locations that have appropriate physical controls in place (e.g., locked offices, secure labs, approved remote settings when a remote work agreement or equivalent approved arrangement is in place).
    2. Remote use of IT assets must meet security requirements for remote access and approved remote work arrangements.
    3. For employees eligible under UW-5087 Remote Work, remote work arrangements must be documented through an approved remote work agreement when required.
    4. For faculty and others not covered by UW-5087 Remote Work, remote use must still follow SMPH-approved secure remote access practices and any applicable unit/HR guidance.
    5. When using public Wi-Fi, SMPH VPN must be connected, and the device must comply with the SMPH Endpoint Standards

  4. Security & Risk Management

    1. All IT assets must comply with the SMPH Endpoint / Device Standards, which define the required security controls for endpoint protection, management, and risk mitigation
    2. IT assets must:
      1. Receive regular vendor security updates
      2. Be scanned for vulnerabilities as required in the SMPH Endpoint / Device Standards 
      3. Not operate past end of life unless documented through an approved, risk-based exception with compensating controls implemented
    3. Only software with a documented business need and SMPH IIT approval may be installed on SMPH-managed hardware.

  5. Maintenance & Change Management

    1. All maintenance or repair of SMPH IT assets must be performed or coordinated by authorized IIT staff or approved vendors.
    2. Significant changes must be reviewed and approved before implementation.

  6. Inventory & Lifecycle Management

    1. All IT assets that have data storage capabilities, including peripherals and removeable media, must be inventoried with SMPH IIT and be included in the SMPH IIT asset inventory in accordance with UW-527 Information Technology (IT) Asset Reporting and UW-3008 Capital Equipment.
    2. Assets that cannot fully comply with this policy must be identified in the IT asset inventory and documented with justification, compensating controls, and an approved risk-based exception.
    3. Data on retired IT assets must be securely wiped per UW-130 Destruction/Disposal of Protected Health Information, UW-505 Media and Device Disposal and Reuse, UW-515 Restricted Data Security Management.
    4. When individuals leave their position or SMPH, all assigned IT assets must be returned to SMPH IIT.
    5. When an IT asset is returned, SMPH IIT will provide the originating department, center, or laboratory an opportunity to request continued business use of the asset within that unit when feasible.
    6. If the originating department or unit does not request continued use, SMPH IIT may reassign the device for business use elsewhere within SMPH.
    7. Lost or stolen IT assets must be reported immediately per UW–Madison and HIPAA incident reporting procedures.

  7. Compliance

    1. All IT assets must comply with SMPH, UW–Madison, and UW System policies and standards.
    2. Deviations from this policy must be documented, reviewed, and approved, by SMPH IIT and mitigated with compensating controls.
Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:
External References:

Policy Administration

Approval Authority:
Vice Chancellor for Medical Affairs and Dean School of Medicine & Public Health
Policy Manager:
SMPH Chief Information Security Officer
Contact:
SMPH Chief Information Security Officer -- Amy Diestler, adiestler@wisc.edu, (608) 263-4623
Effective Date:
05-18-2026
Date Issued:
05-18-2026
Retrieved:
05-20-2026 15:22:17