Security Policies, Standards and Guidance

There are best practices and guidelines the university community can follow to reduce risk and protect secure information and data. ISIC's priority is to protect the university's information technology and data, and to establish IT security and compliance programs.

Links to additional guidance and best practices are below. 


University Policies and Guidelines

The use of CU Anschutz Medical Campus information technology resources is governed by policies issued by the University of Colorado System, Information Security and IT compliance (ISIC), Office of Information Technology (OIT), and state and federal laws. Those that use IT resources on campus are responsible for understanding the policies and implementing the required controls to stay compliant. Visit the IT Policies webpage for more details about technology guidelines. Additional information about university policies is available on the University Policies and Guidelines webpage and the CU System Office of Policy and Efficiency webpage.


New Systemwide Security Course Requirement

The University of Colorado now requires university employees to complete the Information Security Awareness Skillsoft training every two years to help maintain proper campus security safeguards. Security awareness training helps the university community stay safe digitally by learning how to identify and avoid cyber threats. It also teaches us how to protect our personal information and the university’s data. 

More information is available in the CU Anschutz campus announcement. In addition, the CU Office of information Security has created a webpage with additional information and FAQs about the new training requirement.


Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a U.S. law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, billing/coding companies, doctors, hospitals and other health care providers. Our team works closely with the Office of Regulatory Compliance, please visit their HIPAA webpage for more information about ensuring you are protecting and securing all HIPAA protected health information. 

Additional Unit HIPAA Compliance Program resources from ISIC are available here. You must be on the university VPN to access the documents. 


Transmitting HIPAA Information Using Zoom

Zoom encryption fully complies with HIPAA Security Standards to ensure the security and privacy of patient data. The company employs industry standard end-to-end Advanced Encryption Standard (AES) encryption using 256bit keys to help protect meetings. However, while Zoom is configured for HIPAA compliance, you should use thoughtfulness in the type of data shared and how the data is shared. Visit our Zoom tools and services HIPAA webpage for more information about using Zoom for transmitting HIPAA protected health information. 


Lost or Stolen University-Owned Device?

If a university owned and issued electronic device has been lost or stolen, be sure to report the loss to the Information Security and IT Compliance (ISIC) team, your supervisor and campus police. Visit the Lost and Stolen Devices Tools and Service webpage for more details about the actions to take. 


Artificial Intelligence (AI) and Security Compliance

The popularity of artificial intelligence technology is making news and we are seeing excitement about its use within the university. CU is in the process of establishing guidelines and compliance requirements for using AI — with the complexity of this technology, it may take some time. And without proper security controls, AI technology can become susceptible to privacy, confidentiality, and security threats. Cybercriminals could inject malicious data or images into a machine learning model to deliberately attack the integrity of the data. Data uploaded into AI technology could remain there permanently, circumventing appropriate university protections and security controls.

Be sure to avoid uploading or sharing university data into unvetted AI systems as they are not secure. Contact the Risk and Compliance team at for assistance vetting AI prior to acquiring a technology, particularly if the AI is intended for clinical purposes or will use highly confidential data such as FERPA or HIPAA data.

As we collaborate with cross campus experts to establish AI guidelines for CU Anschutz and CU Denver employees, our team recommends resources from the following entities when researching the use of AI. 


Information Security and IT Compliance

CU Anschutz

Education II North

13120 East 19th Avenue

5th Floor

Aurora, CO 80045

CMS Login