Standard for Decommissioning Access to University IT Systems


Document Control

Field

Details

Standard Owner

CIO

Approval Authority

CIO

Date of Issue

07/12/2025

Last Reviewed

07/12/2025

Next Review Date

07/12/2027

Standard Number

APS-2.6.STN-03.02

Related Policies

E.g., Executive Order 63, APS 2.3-2.6; NIST SP 800-53 Rev. 5 – Security and Privacy Controls, Control: AC-2(5); PS-4; IA-4

Purpose

This standard implements APS 2.6(9) Information Security Controls and Operational Practices. APS 2.6(9) charges the University’s Chief Information Security Officer with setting minimum security standards, including Account and Identity Management Controls, which govern identity and account management for all system accounts, including an identity and eligibility verification and registration process and a user and system account life cycle management process. Further, this standard is required to:

  1. enhance the security of University information and technology systems;
  2. bring the UW into compliance with APS 47.2 (Personal Use of University Facilities, Computers, and Equipment by University Employees); 
  3. reflect the best practices for information and technology security as articulated by the National Institute of Standards and Technology (NIST), including restricting who may access digital systems (NIST SP 800-53); and
  4. support UW efforts to meet requirements for cybersecurity insurance.

Scope

This standard applies to all individuals employed by the University, students, and volunteers and contractors who may need access to IT systems to conduct their work.

Definitions

(Technical or unit / role definitions referred to in the standard document.)

Standard Requirements

Only enrolled students and regular and contracted employees engaged in UW teaching, research, administrative, educational or other necessary functions are authorized to use UW information & technology systems, including but not limited to email, teleconferencing, data management, learning management systems, and finance and human resources systems.  

Separation from the University shall coincide with termination of access to digital University systems and use of University information technology equipment. 

Roles and Responsibilities

Role

Responsibility

Information Security

Termination of access to systems

Implementation, maintenance, and interpretation of this standard

Registrar

Confirmation of student enrollment status

Procurement

Notification to IS of vendor service termination

Human Resources

Notification to IS of separation date of employees

Compliance

  1. Exceptions must be:
    1. Approved by the CISO
    2. Documented and reviewed annually
  1. Failure to comply with this standard creates financial, organizational, and security risks for the University of Washington and may result in loss of IT support, revocation of access to University IT systems and disciplinary measures.

References

Please see Executive Order 63 and APS 2.3, 2.4, 2.5 and 2.6.

History

12 July 2025