U-M Information Security policy: Revised and approved

SPG logoThe revised University of Michigan Information Security policy (SPG 601.27) recently was approved, along with a number of new information technology standardsThe policy and accompanying standards represent the most comprehensive revision of the institution’s information security program since its inception over a decade ago.

SPG 601.27 and the standards are based on a cybersecurity risk management framework that incorporates best practices for protecting U-M’s critical IT infrastructure and data assets, and reinforces everyone’s shared responsibility for information security.

“Information security, particularly for a highly distributed and collaborative environment like our institution, is an evolving paradigm. The revised Information Security policy strives to balance appropriately securing the institution while supporting open collaboration and innovation in research, teaching, learning, and clinical care,” said Ravi Pendse, vice president for information technology and chief information officer. “It also acknowledges that everyone—faculty, staff, and students—shares the responsibility for information security. We are all in this together.”

Implementation begins now

Information Assurance (IA) recognizes that implementation of the policy and standards will take some time given the the more detailed nature of the new requirements. Implementation will be phased in over the next two years, with an anticipated compliance date of December 31, 2020.

IA staff members are meeting with university stakeholders, IT governance groups, and others to outline the implementation planning process.

SULs to facilitate

IA is asking each unit’s Security Unit Liaison (SUL) to facilitate and coordinate their unit’s implementation planning. Specific objectives of this work include:

  • Reviewing the policy and standards to understand how they will apply to your unit (e.g., many requirements in the Standards only apply to sensitive institutional data classified as High or Restricted)
  • Planning how to meet the minimum security requirements applicable to information systems
  • Soliciting and incorporating input of unit IT staff, administrative and business system administrators, faculty, and/or researchers
  • Collaborating to identify potential resource needs or constraints
  • Determining how to apprise unit leadership of progress  

Support from IA

“The Information Assurance team will work with and support all U-M campuses and Michigan Medicine as we work towards implementation,” said Sol Bermann, U-M’s chief privacy officer and interim chief information security officer. “Information security is a shared responsibility. The IA team looks forward to working with units across the university to support implementation, interpreting the policy and standards, and receiving feedback along the way.”

Here are some initial opportunities and resources to get things off to a good start:

  • Guidance on Safe Computing. Detailed guidance, documentation, and tools to support compliance with the policy and standards are being developed and published to the Safe Computing website under Protect Your Unit’s IT. Additional content will be added during the implementation period.
  • Standards Working Sessions. Starting in November/December, IA will offer working sessions for unit IT staff. Each session will consist of a detailed walk-through of the requirements for each standard, along with opportunities for questions and individual consultations. Watch for an announcement of dates, times, and locations in the coming weeks.
  • Unit-Specific Implementation Planning Meetings. Units and departments can schedule individual implementation planning meetings with IA staff by emailing info-assurance@umich.edu.  
  • Compliance Using ITS Services. Units may find it easier and more efficient to use ITS services that are already aligned to specified requirements. See the Safe Computing Sensitive Data Guide to IT Services.

We appreciate your support as everyone works together to improve IT security and compliance,” said Bermann. “As the implementation moves forward, your ongoing feedback is critical.” Send suggestions to info-assurance@umich.edu.