Should my service or capability be added to the Sensitive Data Guide?
The Sensitive Data Guide is not intended to be a service catalog and does not include all services provided at the university. The following questions should be asked when considering whether your service or capability should be included in the Sensitive Data Guide:
- How widely is the service/capability used? For example, if your service/capability is only used by a small subset of individuals in the U-M community, it does not need an entry in the Sensitive Data Guide. If, however, your service/capability is used by a more significant number of the U-M Community, such as Slack, Dropbox, or Virtru, it may be appropriate to have an entry created for the Sensitive Data Guide.
- Has the service/capability been approved for more than one type of Sensitive Data? The Sensitive Data Guide is intended to help the U-M community make informed decisions on what services to use when collecting, processing, storing, or sharing university data. If your service/capability is not approved for one or more types of sensitive data, it should not be considered for the Sensitive Data Guide. Refer to All Data Types for more information on types of university data.
- What Sensitive Data types do you as the Service Owner want to support? Certain types of sensitive data need additional review and appropriate validation and documentation must exist. Consider what you as the Service Owner have the time and capacity to support for this service/capability.
To request that a service/capability be added to the Sensitive Data Guide, complete Template - Add a Service/Capability to the Sensitive Data Guide. Once you’ve completed this template, contact the ITS Service Center. This template includes the information listed below.
Information Assurance (IA) staff will work with you on an entry for the item if appropriate. Please allow several weeks for the process and keep in mind that if there are compliance categories, such as HIPAA or CUI, IA will need to validate compliance through the appropriate office.
- Service/Capability description. Provide a plain English description of the service offering, who the primary user base might be, and any other useful information about the service. Include which campuses may use this service/capability
- Description of compliance. List the service's/capability’s security safeguards, particularly those that make it compliant with sensitive data regulations. Provide details about what types of sensitive data can and cannot be safely stored in/used with the service and explain why or why not.
- Data Steward: Refer to Data Types for information on Data Steward for each type of university data.
- Links to information about the service. Provide a link to the service's homepage and any relevant documentation.
- Links to additional resources. Provide any additional links that you think would be helpful to users.
- RECON results? Has an IT security risk analysis (RECON) been conducted for the service? If so, please provide details.
- Vendor Security & Compliance Assessment? If the service is provided by a vendor, has a Vendor Security & Compliance Assessment been done? If so, please provide details.
- Business Associate Agreement? If the service is provided externally, has the provider signed a U-M Business Associate Agreement? If so, please provide details.