The revised University of Michigan Information Security policy (SPG 601.27) recently was approved, along with a number of new information technology standards. The policy and accompanying standards represent the most comprehensive revision of the institution’s information security program since its inception over a decade ago.
SPG 601.27 and the standards are based on a cybersecurity risk management framework that incorporates best practices for protecting U-M’s critical IT infrastructure and data assets, and reinforces everyone’s shared responsibility for information security.
“Information security, particularly for a highly distributed and collaborative environment like our institution, is an evolving paradigm. The revised Information Security policy strives to balance appropriately securing the institution while supporting open collaboration and innovation in research, teaching, learning, and clinical care,” said Ravi Pendse, vice president for information technology and chief information officer. “It also acknowledges that everyone—faculty, staff, and students—shares the responsibility for information security. We are all in this together.”
Implementation begins now
Information Assurance (IA) recognizes that implementation of the policy and standards will take some time given the the more detailed nature of the new requirements. Implementation will be phased in over the next two years, with an anticipated compliance date of December 31, 2020.
IA staff members are meeting with university stakeholders, IT governance groups, and others to outline the implementation planning process.
SULs to facilitate
IA is asking each unit’s Security Unit Liaison (SUL) to facilitate and coordinate their unit’s implementation planning. Specific objectives of this work include:
- Reviewing the policy and standards to understand how they will apply to your unit (e.g., many requirements in the Standards only apply to sensitive institutional data classified as High or Restricted)
- Planning how to meet the minimum security requirements applicable to information systems
- Soliciting and incorporating input of unit IT staff, administrative and business system administrators, faculty, and/or researchers
- Collaborating to identify potential resource needs or constraints
- Determining how to apprise unit leadership of progress
Support from IA
“The Information Assurance team will work with and support all U-M campuses and Michigan Medicine as we work towards implementation,” said Sol Bermann, U-M’s chief privacy officer and interim chief information security officer. “Information security is a shared responsibility. The IA team looks forward to working with units across the university to support implementation, interpreting the policy and standards, and receiving feedback along the way.”
“We appreciate your support as everyone works together to improve IT security and compliance,” said Bermann. “As the implementation moves forward, your ongoing feedback is critical.” Send suggestions to firstname.lastname@example.org.