{"id":10603,"date":"2018-10-30T08:00:11","date_gmt":"2018-10-30T12:00:11","guid":{"rendered":"https:\/\/michigan.it.umich.edu\/news\/?p=10603"},"modified":"2024-07-08T06:05:42","modified_gmt":"2024-07-08T10:05:42","slug":"u-m-information-security-policy-revised-and-approved","status":"publish","type":"post","link":"https:\/\/michigan.it.umich.edu\/news\/2018\/10\/30\/u-m-information-security-policy-revised-and-approved\/","title":{"rendered":"U-M Information Security policy: Revised and approved"},"content":{"rendered":"<p><span style=\"font-weight: 400;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-10614\" src=\"https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/spgbadge.png\" alt=\"SPG logo\" width=\"600\" height=\"154\" srcset=\"https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/spgbadge.png 600w, https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/spgbadge-200x51.png 200w, https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/spgbadge-300x77.png 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/>The revised University of Michigan <\/span><a href=\"http:\/\/spg.umich.edu\/policy\/601.27\"><span style=\"font-weight: 400;\">Information Security policy (SPG 601.27)<\/span><\/a><span style=\"font-weight: 400;\"> recently was approved, along with a number of <a href=\"https:\/\/it.umich.edu\/information-technology-policies\/general-policies#standards\">new information technology standards<\/a>.\u00a0<\/span><span style=\"font-weight: 400;\">The policy and <\/span><span style=\"font-weight: 400;\">accompanying <\/span><span style=\"font-weight: 400;\">standards represent the most comprehensive revision of the institution\u2019s information security program since its inception over a decade ago. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">SPG 601.27 and the standards are based on a cybersecurity risk management framework that incorporates best practices for protecting U-M\u2019s critical IT infrastructure and data assets, <\/span><span style=\"font-weight: 400;\">and reinforces everyone&#8217;s shared responsibility for information security.<\/span><\/p>\n<p>\u201cInformation security, particularly for a highly distributed and collaborative environment like our institution, is an evolving paradigm. The revised Information Security policy strives to balance appropriately securing the institution while supporting open collaboration and innovation in research, teaching, learning, and clinical care,\u201d said Ravi Pendse, vice president for information technology and chief information officer. \u201cIt also acknowledges that everyone\u2014faculty, staff, and students\u2014shares the responsibility for information security. We are all in this together.\u201d<\/p>\n<h1>Implementation begins now<\/h1>\n<p><span style=\"font-weight: 400;\">Information Assurance (IA) recognizes that <a href=\"https:\/\/www.safecomputing.umich.edu\/implementing-spg-601.27\">implementation of the policy and standards<\/a> will take some time given the the more detailed nature of the new requirements. <\/span><span style=\"font-weight: 400;\">Implementation will be phased in over the next two years, with an anticipated compliance date of December 31, 2020.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">IA staff members are meeting with university stakeholders, IT governance groups, and others to outline the implementation planning process.<\/span><\/p>\n<h1>SULs to facilitate<\/h1>\n<p><span style=\"font-weight: 400;\">IA is asking each unit&#8217;s <\/span><a href=\"https:\/\/www.safecomputing.umich.edu\/it-security-professionals\/security-unit-liaisons\"><span style=\"font-weight: 400;\">S<\/span><span style=\"font-weight: 400;\">ecurity Unit Liaison (SUL)<\/span><\/a><span style=\"font-weight: 400;\"> to facilitate and coordinate their unit\u2019s implementation planning. Specific objectives of this work include:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Reviewing the policy and standards to understand how they will apply to your unit (e.g., many requirements in the Standards only apply to sensitive institutional data classified as High or Restricted)<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Planning how to meet the minimum security requirements applicable to information systems <\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Soliciting and incorporating <\/span><span style=\"font-weight: 400;\">input of unit IT staff, administrative and business system administrators, faculty, and\/or researchers<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Collaborating to identify potential resource needs or constraints<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Determining how to apprise unit leadership of progress \u00a0<\/span><\/li>\n<\/ul>\n<h1>Support from IA<\/h1>\n<p><span style=\"font-weight: 400;\">&#8220;The Information Assurance team will work with and support all U-M campuses and Michigan Medicine<\/span><span style=\"font-weight: 400;\"> as we work towards<\/span><span style=\"font-weight: 400;\"> implementation,&#8221; said Sol Bermann, U-M\u2019s chief privacy officer and interim chief information security officer.\u00a0<\/span><span style=\"font-weight: 400;\">\u201cInformation security is a shared responsibility. The IA team looks forward to working with units across the university to support implementation, interpreting the policy and standards, and receiving feedback along the way.\u201d<\/span><\/p>\n<div class=\"omsc-box omsc-with-title omsc-with-bg-color omsc-with-icon omsc-icon-style-border omsc-icon-shape-circle\" style=\"border-color:#000000;background-color:#eff0f1;text-align:left\"><div class=\"omsc-box-icon-wrapper\"><div class=\"omsc-box-icon\" style=\"border-color:#eff0f1;color:#eff0f1;border-color:#000000;color:#000000;\"><i class=\"fa fa-info\"><\/i><\/div><\/div><div class=\"omsc-box-inner\"><div class=\"omsc-box-title\"> <\/div><\/p>\n<p><strong>Here are some initial opportunities and resources to get things off to a good start:<\/strong><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><b>Guidance on Safe Computing<\/b><span style=\"font-weight: 400;\">. <\/span><span style=\"font-weight: 400;\">Detailed guidance, documentation, and tools to support compliance with the policy and standards are being developed and published to the Safe Computing website under <\/span><a href=\"https:\/\/www.safecomputing.umich.edu\/protect-the-u\/protect-your-unit?nav\"><span style=\"font-weight: 400;\">Protect Your Unit\u2019s IT<\/span><\/a><span style=\"font-weight: 400;\">. Additional content will be added during the implementation period.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Standards Working Sessions<\/b><span style=\"font-weight: 400;\">. <\/span><span style=\"font-weight: 400;\">Starting in November\/December, IA will offer working sessions for unit IT staff. Each session will consist of a detailed walk-through of the requirements for each standard, along with opportunities for questions and individual consultations. Watch for an announcement of dates, times, and locations in the coming weeks. <\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Unit-Specific Implementation Planning Meetings<\/b><span style=\"font-weight: 400;\">. <\/span><span style=\"font-weight: 400;\">Units and departments can schedule individual implementation planning meetings with IA staff by emailing <\/span><a href=\"mailto:info-assurance@umich.edu\"><span style=\"font-weight: 400;\">info-assurance@umich.edu<\/span><\/a><span style=\"font-weight: 400;\">. \u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Compliance Using ITS Services<\/b><span style=\"font-weight: 400;\">. <\/span><span style=\"font-weight: 400;\">Units may find it easier and more efficient to use ITS services that are already aligned to specified requirements. See the <\/span><a href=\"https:\/\/www.safecomputing.umich.edu\/dataguide\/\"><span style=\"font-weight: 400;\">Safe Computing Sensitive Data Guide to IT Services<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ul>\n<p><\/div><\/div>\n<p><span style=\"font-weight: 400;\">&#8220;<\/span><span style=\"font-weight: 400;\">We appreciate your support as everyone works together to improve IT security and compliance,&#8221; <\/span><span style=\"font-weight: 400;\">said Bermann. &#8220;<\/span><span style=\"font-weight: 400;\">As the implementation moves forward, your ongoing feedback is critical.&#8221; Send suggestions to <\/span><a href=\"mailto:info-assurance@umich.edu\"><span style=\"font-weight: 400;\">info-assurance@umich.edu<\/span><\/a><span style=\"font-weight: 400;\">. <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The revised University of Michigan Information Security policy (SPG 601.27) recently was approved, along with a number of new information technology standards.\u00a0The policy and accompanying standards represent the most comprehensive revision of the institution\u2019s information security program since its inception over a decade ago. SPG 601.27 and the standards are based on a cybersecurity risk management framework that\u2026 <span class=\"read-more\"><a href=\"https:\/\/michigan.it.umich.edu\/news\/2018\/10\/30\/u-m-information-security-policy-revised-and-approved\/\">Read More &raquo;<\/a><\/span><\/p>\n","protected":false},"author":98,"featured_media":10612,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","_umich_oidc_access":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_ef_editorial_meta_date_first-draft-date":"","_ef_editorial_meta_paragraph_assignment":"","_ef_editorial_meta_checkbox_needs-photo":"","_ef_editorial_meta_number_word-count":"","footnotes":""},"categories":[27,4],"tags":[433,63,23,572],"class_list":["post-10603","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-safe-computing","category-features","tag-compliance","tag-policy","tag-security","tag-spg"],"uagb_featured_image_src":{"full":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/security-sphere.jpg",600,420,false],"thumbnail":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/security-sphere-200x140.jpg",200,140,true],"medium":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/security-sphere-286x200.jpg",286,200,true],"medium_large":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/security-sphere.jpg",600,420,false],"large":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/security-sphere.jpg",600,420,false],"1536x1536":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/security-sphere.jpg",600,420,false],"2048x2048":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/security-sphere.jpg",600,420,false],"excerpt-thumbnail":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/security-sphere-200x140.jpg",200,140,true],"themonic-thumbnail":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/security-sphere-60x42.jpg",60,42,true],"ioslider-thumbnail":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/security-sphere-600x300.jpg",600,300,true],"post-thumbnail":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/security-sphere.jpg",600,420,false],"400x250-crop":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2018\/10\/security-sphere.jpg",357,250,false]},"uagb_author_info":{"display_name":"Alan J. Levy, Information Assurance","author_link":"https:\/\/michigan.it.umich.edu\/news\/author\/ajlevy\/"},"uagb_comment_info":0,"uagb_excerpt":"The revised University of Michigan Information Security policy (SPG 601.27) recently was approved, along with a number of new information technology standards.\u00a0The policy and accompanying standards represent the most comprehensive revision of the institution\u2019s information security program since its inception over a decade ago. SPG 601.27 and the standards are based on a cybersecurity risk&hellip;","_links":{"self":[{"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/posts\/10603","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/users\/98"}],"replies":[{"embeddable":true,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/comments?post=10603"}],"version-history":[{"count":19,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/posts\/10603\/revisions"}],"predecessor-version":[{"id":10822,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/posts\/10603\/revisions\/10822"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/media\/10612"}],"wp:attachment":[{"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/media?parent=10603"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/categories?post=10603"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/tags?post=10603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}