Explainer: Access Management Rule (4-004D)

The University of Utah’s Access Management Rule (4-004D) supports Information Security Policy (4-004). The U’s IT security policy, rules, and guidelines aim to protect the university’s IT resources, systems, and data, including that of students, patients, faculty, staff, guests, vendors, and more.

What does it say?

Rule 4-004D outlines authorization, authentication, modification, termination, reaccreditation, and password management requirements for the U’s IT systems and resources. The rule focuses on user access, which must be strictly controlled to ensure the safety of the university’s IT systems, resources, and data. For example, the U requires two-factor authentication to access certain IT resources (e.g., UMail and CIS) because they may transmit or contain confidential information, such as protected health information (PHI) and personally identifiable information (PII).

One key section of the rule for users is password management. Users must protect their passwords, change their passwords if their accounts or passwords might be compromised, and change temporary passwords on first login.

Other sections provide guidance on account management, from requesting and creating university accounts to maintaining and removing university accounts.

Why should I care?

A stolen password or compromised account can provide criminals an entry point to university systems, resources, and data, potentially allowing them to harvest confidential information, damage software and hardware, and attack other users. Account breaches can also harm the U’s finances and reputation, and the privacy of U students, patients, faculty, and staff .

Who does it apply to?

The rule applies to all university students, faculty, staff, patients, and business partners.

Up next in the January Node 4 newsletter — Rule 4-004E: Change Management

 

Node 4 Search