New U-M self-phishing guidelines & norms


Are you interested in providing anti-phishing education through self-phishing in your unit? If so, be aware that any U-M unit considering such an effort is expected to abide by self-phishing guidelines and norms from Information Assurance (IA).

The guidelines are intended to contribute to the success of your anti-phishing efforts and to share IA expertise based in part on experience with U-M pilots of such programs. The guidelines specify, for example, that IA be be made aware of, review, and approve the campaign, unit leadership must sign off on self-phishing plans, and that Information and Technology Services (ITS) and/or Health & Information Technology Services must be included well before test messages are scheduled and sent to allow for support and planning.

Affected community members must be informed, before the campaign starts, that the anti-phishing activities will be taking place and that they will be participants. Anti-phishing training should be offered before and after the self-phishing campaign.

Before doing self-phishing, contact IA for consultation, reviews, and approvals through the ITS Service Center. IA and Michigan Medicine have begun planning how to develop self-phishing services in the future that could be made available to U-M units. Staff members are reviewing the results of a pilot at Michigan Medicine, pulling together templates and materials that could be shared, and determining requirements for making such a service operational. UM-Flint staff consulted with IA on the recently completed UM-Flint phishing awareness campaign