About the ITS Information Assurance Office
The ITS Information Assurance (IA) Office oversees the big picture view of IT security and privacy at the University of Michigan. All members of the university community have a role to play, as does your unit. Securing the data and guarding the privacy of the university community are shared responsibilities.
IA strives to proactively mitigate IT security risks in partnership with all U-M's campuses—UM-Ann Arbor, UM-Dearborn, UM-Flint, and Michigan Medicine. IA takes a risk-based approach to securing the university’s most sensitive information assets that enables teaching, learning, research, and healthcare in a large, open environment.
IA provides some capabilities to the university at large and makes additional services available on request. In addition, IA provides IT security and privacy guidance, best practices, and information. Key capabilities are listed here. To request services from IA, ask questions, make suggestions, or share concerns, work with your unit's Security Unit Liaison (SUL) or contact IA through the ITS Service Center.
Your unit benefits from IA's support of numerous compliance stakeholders across U-M, collaborating on legal and regulatory compliance efforts related to HIPAA, CUI, FISMA, GLBA, GDPR, PCI DSS, Export Controls, the Common Rule, and other laws and regulations.
Your unit can make use of guidance and information provided by IA to help members of the university community meet their responsibility to comply with data protection and privacy laws, regulations, and industry standards, as well as U-M IT policies and standards. IA has worked with Procurement Services to include IT security requirements in the vendor selection process and provides guidance to help your unit manage third party vendor security and compliance.
Cyber Risk and Privacy Insurance Coverage
The Office of Risk Management maintains insurance that allows university units and departments to recover financial costs incurred as a result of lost or stolen data, violation of privacy laws, intellectual property infringement, and social media risk.
IA serves as liaison to the Office of Risk Management with respect to initiating claims under the cyber risk insurance coverage.
To submit a claim under the university's cyber risk insurance coverage, units are required to report potentially serious incidents immediately (within 24 hours) to IA in accordance with Information Security Incident Reporting (SPG 601.25). If an incident involves the potential for recoverable losses, the incident must be reported to IA.
Data governance establishes decision rights with respect to university data for the purposes of ensuring accountability and defining processes and standards associated with their proper use. The university's data stewards are responsible for protecting the confidentiality, integrity, and availability of a particular institutional data area. Some of their specific responsibilities include assigning an appropriate classification for their respective data areas based on their sensitivity and criticality; approving standards and procedures related to day-to-day administrative and operational management of the data; and determining the appropriate criteria for obtaining access.
All U-M institutional data must be backed up for resilience and disaster recovery purposes. Requirements for backups and disaster recovery plans are based on whether a system or service is mission critical and on the data classification level of the data involved.
Unit leaders are asked to ensure sufficient financial, personnel, and other resources are available for the successful creation and ongoing maintenance of unit disaster recovery plans and backups where required. IA provides guidance for determining the scope of required planning and templates to help ensure everything is covered.
Awareness, Training, and Education
IA provides myriad IT security and privacy education, awareness, and training to members of the U-M community. The Safe Computing website provides tips, best practices, instructions, links to training and awareness materials, and other resources to help people protect the university and themselves. IA hosts educational events throughout the year.
Unit IT managers and SULs collaborate with IA to develop and implement ongoing unit-based awareness activities and training as needed, often by distributing IA materials or customizing them for unique unit needs.
By participating in information assurance awareness, training, and education, members of the U-M community can help reduce the risk of data breaches; maintain compliance with applicable laws, regulations, contractual agreements, and U-M policies; and ultimately help protect U-M systems and data.
Identity and Access Management
The IA Identity and Access Management (IAM) team provides operational support for a framework of business processes, technologies, and information that facilitate the management of digital identities, authentication (including two-factor authentication), and passwords across the university. It also supports user account provisioning and deprovisioning.
Two-factor authentication (using Duo) is required for access to systems that store or access sensitive university data classified as Restricted or High. Two-factor at Weblogin is required of all U-M faculty, staff, and students.
Incident Response and Management
The IA Incident Response team coordinates and manages the response to all serious IT security incidents across the university, including the UM-Ann Arbor, UM-Dearborn, UM-Flint, and Michigan Medicine campuses. Security experts are available to help units minimize the consequences of IT security incidents.
Units are expected to report IT security incidents by sending email to firstname.lastname@example.org or by contacting the ITS Service Center as soon as they are aware of a suspected or actual incident. A security expert will analyze the situation and work with unit staff to develop and implement a plan for containment and mitigation. Unit IT staff are expected to be familiar with the process for reporting security incidents so they can report quickly if they become aware of a possible security incident in their unit or in the larger university community.
The chief information officer (CIO) has oversight responsibility for IT policy. IA, by delegation of the CIO, coordinates the IT policy function for U-M, with responsibility for policy, standard, and guideline development and maintenance.
IT policies and related standards apply to all users, including visitors, across the entire University of Michigan community, including UM-Ann Arbor, UM-Dearborn, UM-Flint, and Michigan Medicine. These policies apply whether the university's information resources are accessed from on- or off-campus.
Information Security (SPG 601.27) and its 13 supporting IT standards are based on a cybersecurity risk management framework that incorporates best practices for protecting U-M’s critical IT infrastructure and data assets and reinforces everyone's shared responsibility for information security. Together, they strive to strike a balance between appropriately securing the institution while allowing for innovation in research, teaching, learning, and clinical care.
IA partners with the ITS Network Operations team on network protection technologies and services (for example, firewalls and network security threat detection and mitigation systems). The Network Operations team manages the day-to-day operation of these tools, with IA providing strategic direction and input.
Threat detection technologies are built into the fabric of the university's networks and focus on the metadata associated with network traffic, such as the source and destination IP addresses, DNS activity, protocol validation, ports requested, file types, connection types, and so on. This enables early detection of Distributed Denial of Service (DDoS) attacks, worm outbreaks, and other malicious activity that could cause disruption of university IT services.
IA asks to be included early in the IT architecture management process whenever university units are planning IT architecture—whether that architecture will be university-wide or limited to a unit or department. Security architecture requirements are based on the university's information security policy and standards, and IA can help your unit develop and maintain a security architecture that complies with the policy and standards and integrates with the overall university security architecture. The university approaches security capabilities from the perspectives of protection, detection, and response.
Security Operations Center
Security analysts in IA's Security Operations Center identify and examine indicators of compromise, process information about potential cyberattack campaigns, review industry-specific threat intelligence, and perform other security operations tasks for the university. Their work contributes to the following:
- Reduced number of IT security incidents over time
- Reduced impact of identified incidents
- Reduced response time to address compromised accounts
- Improved response time for non-serious IT security incidents
- Increased support for compliance requirements
- Better coordination of incident response for compliant environments
The IT User Advocate works with the U-M community to ensure that U-M information technology policies and guidelines are followed and responds to reports of abuse and misuse of U-M IT resources. The User Advocate supports problem solving with other IT service providers and U-M units—including Student Life and the Department of Public Safety & Security. In addition, the User Advocate provides IT policy interpretation and information to help students, faculty, and staff understand university and departmental policy, including the responsible use of shared resources.
Vendor Security and Compliance
If your unit uses a non-university product or service with university data, you must ensure adequate protection of the data. Third-party service providers and cloud-based services are generally required to do some form of risk assessment and risk management as part of their contractual relationship with U-M.
IA provides vendor security and compliance direction and guidance to help. The guidance includes a questionnaire that can be used to gather the needed compliance information from prospective vendors and a data protection contract addendum to attach to all contracts where a service provider accesses, processes, or maintains institutional data.
IA collaborates in reviewing the security and compliance for all prospective university-wide IT service providers, and, increasingly, is reviewing unit-unique engagements as well. Michigan Medicine Corporate Compliance coordinates review of Michigan Medicine IT service providers based on IA tools and methodologies.
IA also provides guidance to help you monitor and periodically reassess your selected vendor's security compliance as part of your ongoing vendor relationship management.
System Hardening Guidance and Tools
IA provides server and database hardening guidelines and tools to help U-M units make their systems more resistant to vulnerabilities and threats. Included in the server and database hardening guides are minimum security expectations for configuration and management, access and accounts, system monitoring, and network connections, as well as additional hardening steps to consider.
The hardening guides are designed to help your unit's IT staff protect the confidentiality, integrity, and availability of unit systems, as well as the services and data stored in, processed by, or accessed via those systems.
IA provides units with access to, and guidelines for using, the KillDisk tool for securely erasing devices and the CIS-CAT tools for evaluating the hardening status of systems. IA works with U-M Property Disposition to ensure that appropriate device sanitization and disposal services are provided to the U-M community.
Threat Intelligence and Logging
IA hosts and manages a shared threat intelligence repository that is used across the Big Ten Academic Alliance (BTAA), with seven schools participating in threat intelligence sharing. The repository resulted from collaboration among BTAA chief information security officers. Security services across the university—including firewalls, filters, and more—make use of this intelligence to protect university systems and information from threats.
IA expanded the repository's utility by developing a framework for collecting, generating, sharing, and using threat intelligence, now known as MITN—Michigan Intelligence for Threat Negation. Many U-M units participate in MITN by hosting technology designed to detect attacks from around the world. IA shares threat intelligence from MITN with several U-M units and schools that have local IT security systems that can block attackers based on threat intelligence data shared by IA. MITN data is used to block 2–10 million threats daily on U-M's intrusion prevention system alone.
IA manages the overarching U-M information security risk assessment/management program, provides risk assessment services to the UM-Ann Arbor campus, and supports risk assessment practices via standardized tools for UM-Dearborn, UM-Flint, and Michigan Medicine. IA: Michigan Medicine provides risk assessment services for the Michigan Medicine community.
IA developed and provides the RECON (Risk Evaluation of Computers and Open Networks) risk assessment methodology and an online tool for using it. IA performs RECONs for any university or unit system that is mission critical or that hosts sensitive university data classified as Restricted or High. Unit staff members, after receiving training from IA, may perform RECONs on other unit systems.
Sensitive Data Discovery—Regular Checks
IA's Sensitive Data Discovery service helps ensure that sensitive and regulated data is not being stored unnecessarily. The twice-yearly checks of computers and networked storage identify files that may contain sensitive data and prompt a review of those files to see if they are still needed. The checks also help the university comply with laws and regulations governing the storage of sensitive and regulated data.
The Sensitive Data Discovery tool looks for numeric patterns that could indicate the presence of Social Security and credit card numbers and produces a report for unit staff. It respects privacy by not reviewing or examining content and by not checking anything placed inside folders named Personal and Private.
Computers and networked storage in MiWorkspace units are checked automatically. Other units can ask to be included in the scans by contacting IA through the ITS Service Center.
Vulnerability Management—Regular Scans
IA conducts regular scans of all University of Michigan owned and managed networks. These automated scans are designed to identify software vulnerabilities, missing system patches, and improper configurations. All U-M networks are scanned once every two months from within U-M network space and once every two months from a scanner positioned outside the university. The scans alternate, with one scan performed each month.
Reports are provided to the identified technical contact person with the expectation that corrective actions will be taken in the timeframe described in the university's vulnerability management standard. IA offers support and consultation to units as they remediate vulnerabilities.
Application Security Testing/Scanning
IA provides guidance to help university developers ensure that the apps and other software they develop adhere to security best practices and are regularly maintained to protect against emerging vulnerabilities and malware.
IA offers dynamic application security testing to help U-M units identify and resolve vulnerabilities in their web applications.Your unit can ask IA to perform web application security scans that test for vulnerabilities specific to web applications.
Penetration testing, also known as ethical hacking, is an advanced, offensive form of security testing designed to provide a deep technical analysis of a target environment’s vulnerability to exploitation and attack. Going beyond basic risk assessment and automated techniques, it relies on the expertise of a skilled security professional who follows a test process to conduct an authorized, simulated attack to evaluate security. It results in a report listing identified vulnerabilities and recommended mitigations.
U-M units can request penetration testing for a specific unit target environment from IA. Testing targets might include websites, applications, infrastructure components, hosting environments, and more.
RECON Training for Self-Assessments
IA provides in-person training to unit staff to help them use the IA-provided online RECON to conduct unit-based risk assessments. IA provides a mentor for several weeks following the training to help unit staff complete their unit self-assessment. After the training, unit staff members can perform RECONs on unit systems that are not mission critical and that store sensitive university data classified as Moderate or Low.
Units and researchers can request IT security consulting tailored to their requirements. A highly skilled information security professional from IA can offer consultation and recommendations to assist you with IT security work specific to your unit.
Sensitive Data Discovery Customized for Your Unit
IA's Sensitive Data Discovery service (described above) provides twice-yearly checks of computers and networked storage in MiWorkspace units to identify files that may contain sensitive data and prompt a review of those files to see if they are still needed. Non-MiWorkspace units can ask to be included in the scans by contacting IA through the ITS Service Center.
The Sensitive Data Discovery tool looks for numeric patterns that could indicate the presence of Social Security and credit card numbers and produces a report for unit staff. The tool can check for additional patterns if that would be helpful for your unit. For example, if researchers in your unit want to check for numbers that could potentially be medical record numbers, or some other type of number, you can request that from IA.
Vulnerability Management—Additional Scans
In addition to the regular vulnerability scans IA conducts of U-M networks (described above), IA offers on-demand and more frequent scans to units at no charge.
- Monthly scans. All networks, systems, databases, or applications that create, maintain, process, transmit, or store data classified as High or Restricted must be scanned monthly. IA can perform these monthly scans for your unit.
- Customized scans. While most units choose to have scans recur monthly, you may request your scan to run one time or at any frequency you choose. The scan policy can be configured to your needs.
Web App Scans
To help U-M units identify and resolve vulnerabilities in web applications, IA offers web application security scans.