Minimum Information Security Requirements for Systems, Applications, and Data

U-M's Information Security policy (SPG 601.27) and the U-M IT security standards apply to all U-M units, faculty, staff, affiliates, and vendors with access to U-M institutional data. Federal or state regulations and contractual agreements may require additional actions that exceed those included in U-M's policies and standards.

Use the table below to identify minimum security requirements for your system or application. To use the table, you need to do both of the following:

Information Assurance (IA) provides Hardening Guides & Tools to assist you in securing your systems and meeting the minimum information security requirements.

Requirements are organized by standard:

Icon Key:

  • checkmark icon Required
  • circle icon Recommended
  • minus icon Not applicable
  • X icon Not allowed

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Access, Authentication, and Authorization Management

U-M Standard: Access, Authentication, and Authorization Management (DS-22)
Guidance: Access, Authorization, and Authentication

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Uniquely identify individual system users

Required Required Required

Include responsible use notification and user acknowledgment at login

Required Required Required

Grant the minimum, sufficient access or privileges

Required Required Required

Separate duties related to granting of access

Required Required Required

Require training and agreement prior to access

Required Required Required

Employ role-based access controls

Required Required

(Users) Access sensitive data only as necessary for job duties

Required Required Required

(Users) Log out or lock unattended workstations

Required Required Required

Revoke access upon termination of personnel appointments

Required Required Required

Review accounts at least annually

Required Required Required

Meet related regulatory and/or contractual obligations

Required Required Required

Designate owners to manage privileged accounts

Required Required Required

Designate owners to manage shared accounts

Required Required Required

Encrypt authentication and authorization mechanisms

Required Required Required

Manage passwords and password processing securely

Required Required Required

Enable session lock after inactivity

Required Required

Require two-factor authentication for system access

Required Required

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Awareness, Training, and Education

U-M Standard: Information Assurance Awareness, Training, and Education (DS-16)
Guidance: Training, Education & Awareness

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Establish training requirements for those having access to sensitive data

Required Required Required

Address training participation in performance management processes

Maintain records of participation in required training

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Disaster Recovery Planning and Data Backup for Information Systems and Services

U-M Standard: Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12)
Guidance: Disaster Recovery ManagementBack Up U-M Data

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Identify mission critical systems

Required Required Required Required Required

Develop, implement and test DR plans for critical systems

Required

Review DR plans and subsequently update/test as necessary

Required

Evaluate new systems prior to go-live

Required Required Required Required Required

Incorporate a disaster risk assessment

Required

Establish DR performance objectives

Required

Align data backup procedures with DR objectives

Required Required Required

Ensure DR plan availability

Required

Identify primary responsibility for data backup

Required Required Required Required Required

Ensure backups are encrypted

Required Required

Ensure contracts with vendors include DR and data backup SLAs

Required Required Required

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Electronic Data Disposal and Media Sanitization

U-M Standard: Electronic Data Disposal and Media Sanitization (DS-11)
Guidance: Securely Dispose of U-M Data and Devices

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Sanitize device/storage media before transfer

Required Required Required Required

Ensure sanitization methods meet the Standard's requirements

Required Required Required Required

Retain certificates of sanitization for 3 years

Required Required Required Required

Remove licensed software from device/storage media before transfer

Required Required Required Required

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Encryption

U-M Standard: Encryption (DS-15)
Guidance: Encryption

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Use encryption that meets NIST FIPS minimum requirements

Required Required Required

Encrypt data at rest in data centers

Encrypt data at rest in machine rooms

Required Required

Encrypt data at rest on portable and removable storage media

Required Required

Encrypt data at rest on laptops (UM-owned)

Required Required

Encrypt data at rest on desktops (UM-owned)

Required

Encrypt data at rest with cloud providers

Required Required

Encrypt data at rest on personally owned devices; data classified as Restricted may not be stored on such devices.

Not Allowed Required

Encrypt data backups outside U-M data centers

Required Required

Encrypt data in transit within U-M campuses

Encrypt data in transit between U-M campuses

Required Required

Encrypt data in transit outside U-M campuses

Required Required

Implement an appropriate key management plan

Required Required

Comply with applicable export/import laws and regulations

Required Required

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Information Security Risk Management

U-M Standard: Information Security Risk Management (DS-13)
Guidance: Information Security Risk Management

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Categorize IT assets according to their sensitivity and criticality

Required Required Required Required Required

Conduct a risk assessment soon after a serious IT security incident

Required Required Required Required Required

Conduct any risk assessments required by regulation or law

Required Required Required Required Required

Use RECON or other approved tool(s) for any required risk assessments

Required Required Required

Provide IA with results of unit-conducted risk assessments

Required Required Required Required Required

Maintain risk assessment data as confidential, classified as High

Required Required Required Required Required

Develop post-assessment plans to reduce risks to acceptable levels

Required Required Required Required Required

Implement the appropriate risk-reducing controls

Required Required Required Required Required

Authorize acceptance of unmitigated risks

Required Required Required Required Required

Assist IA with tracking Risk Treatment Plan progress

Required Required Required Required Required

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Network Security

U-M Standard: Network Security (DS-14)
Guidance: Network Security Management

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Implement default-deny, least-privilege policies on network firewalls

Required Required Required Required

Isolate trusted networks containing sensitive data from non-trusted networks

Required Required Required

Securely configure network infrastructure devices

Required Required Required Required Required

Maintain accurate network documentation

Required Required Required Required Required

Document network interconnects to non-UM parties

Required Required Required Required Required

Protect devices not requiring exposure to the internet

Required Required Required Required Required

Restrict vendor remote network access to the smallest segment feasible

Required Required Required Required

Obtain authorization before extending any U-M networks

Required Required Required Required Required

Encrypt wireless network traffic

Required Required Required

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Physical Security

U-M Standard: Physical Security (DS-17)
Guidance: Physical Security

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Document and implement physical security procedures, train faculty and staff

Required Required

Formalize procedures for granting access to U-M/unit data centers

Required Required

Limit physical access to systems containing PHI

Required

Restrict physical access to only those authorized

Required Required

Maintain accurate lists of those authorized to access secure locations

Required Required

Review authorization lists regularly

Required Required

Implement appropriate access control mechanisms and logging

Required Required

Place sensitive/critical equipment in access-controlled areas

Required Required Required Required

Prohibit sharing of access credentials

Required Required

Require that personnel identification be displayed within secured locations

Required Required

Implement 24/7 video surveillance

Required Required

Escort authorized vendors/visitors within secured locations

Required Required

Log all vendor/visitor access to secured locations

Required Required

Prohibit food and drink in secured locations

Required Required

Document maintenance activities and maintain records for three years

Required Required

Lock doors after business hours and when unattended

Required Required

Install output devices where they cannot be accessed by unauthorized parties

Required Required Required

Store unencrypted media containing sensitive data in secure locations

Required Required Required

Develop and maintain disaster recovery and contingency plans

Required Required

Place power equipment and cabling in safe locations

Required Required

Install emergency power shutoff mechanisms in appropriate locations

Required Required

Implement uninterruptible power supply (UPS)

Required Required

Install and maintain fire detection and suppression

Required Required

Install, maintain, and monitor temperature and humidity controls

Required Required

Protect processing equipment from potential water leakage

Required Required

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Secure Coding and Application Security

U-M Standard: Secure Coding and Application Security (DS-18)
Guidance: Secure Coding and Application Security

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Use Production, Staging, Test, and Development environments

Required Required Required

Exclude sensitive data from Test and Dev, or obtain IA permission

Required Required

Define security requirements early in the SDLC and evaluate compliance

Required Required Required

Use the latest available external or third-party components

Required Required Required

Avoid dynamic inclusion of software

Required Required Required

Validate application input

Required Required Required

Execute proper error handling

Required Required Required

Authenticate users through central AuthN/AuthZ systems

Required Required

Implement two-factor authentication

Required Required

Control access based on roles and the principle of least privilege

Review individually-granted access annually

Required Required

Provide for automated review of authorizations where possible

Required Required

Encrypt external transmission of data

Required Required

Implement application logs with important event data

Required Required Required

Conduct code security reviews/audits for new or changed applications

Required Required

Use effective quality assurance techniques prior to go-live

Required Required

Remove obsolete or no longer supported or needed software

Required Required Required

Implement and maintain a change management process

Required Required

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Security Log Collection, Analysis, and Retention

U-M Standard: Security Log Collection, Analysis, and Retention (DS-19)
Guidance: Security Log Management

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Enable logging for endpoints (workstations, desktops)

Required

Enable logging for all other systems (non-endpoint)

Required Required Required

Include essential events and elements in logs

Required Required Required

Consult Sensitive Data Guide to ensure appropriate storage of log data

Required Required Required

Restrict log access to authorized individuals

Required Required Required Required

Protect log data from unauthorized changes and operational problems

Required Required Required

Automate alerting on logging failures

Required Required

Send local logs to IA Security Information Event Management (SIEM) system (IA's SIEM is Splunk), meeting maximum allowed delay requirements.

Required Required

Retain log data for duration required by policy and law

Required Required Required

Keep security logs immediately available for 90 days

Required Required Required

Purge unneeded logs securely

Required Required Required

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Security of Enterprise Application Integration

U-M Standard: Security of Enterprise Application Integration (DS-09)
Guidance: Access, Authorization, and Authentication

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Identify a single business need or application for each integration

Required Required Required Required

Restrict the lifespan of integration credentials to one year or less

Required Required Required Required

Use data only for the limited and specific purpose described in the request

Required Required Required Required

Designate an owner and co-owner for each integration

Required Required Required Required

Limit admin privileges to owners and to those they specifically authorize

Required Required Required Required

Handle data received via API according to Information Security (SPG 601.27)

Required Required Required Required

Require attestation to Institutional Data Access and Compliance Agreement

Required Required Required Required

Control access based on authorization, least privilege, and limited duration

Required Required Required Required

Leverage MCommunity for authentication of users

Required Required Required Required

Ensure local data storage receives updates from authoritative data source

Required Required Required Required

Terminate access or elevated privileges promptly upon role change

Required Required Required Required

Adhere to incident reporting requirements for all facets of the integration

Required Required Required Required

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Third Party Vendor Security and Compliance

U-M Standard: Third Party Vendor Security and Compliance (DS-20)
Guidance: Third Party Vendor Security & Compliance

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Adhere to U-M's Vendor Security and Compliance Assessment process

Required Required Required Required Required

Continuously manage vendor security compliance

Required Required Required Required Required

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Vulnerability Management

U-M Standard: Vulnerability Management (DS-21)
Guidance: Vulnerability Management

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Conduct vulnerability scans at least monthly

Required Required

Prioritize remediation/mitigation based on severity

Required Required Required Required Required

Develop corrective action plans for identified vulnerabilities

Required Required Required Required Required