Implementing Information Security (SPG 601.27) and Supporting Standards

In summer 2018, the revised Information Security (SPG 601.27) policy was published, along with a number of supporting IT standards. The policy and accompanying standards represent the most comprehensive revision of the university’s information security program since its inception over a decade ago.

  • Phased Compliance. All university units are participating in a two-year phased implementation process leading toward full compliance as of December 31, 2020.
  • Shared Responsibility. The policy and standards rely on a shared responsibility model in which the U-M community is expected to play its part protecting U-M’s critical IT infrastructure and data assets.
  • Information Assurance Support. Information Assurance (IA) staff are meeting with university stakeholders, IT governance groups, and others throughout the fall term to outline the implementation planning process.

Support from IA

IA will work with and support all U-M campuses and Michigan Medicine throughout the implementation. Here are some initial opportunities and resources:

  • Guidance on Safe Computing. Detailed guidance, documentation, and tools to support compliance with and implementation of the policy and standards is published on the Safe Computing website in Protect Your Unit’s IT.
  • Standards Working Sessions. IA held working sessions for unit IT staff and others during the first half of 2019. Materials from those sessions are available at SPG 601.27 Implementation Presentations.
  • Communities of Practice. IA has set up joinable MCommunity groups to service as communities of practice where you can access the collective wisdom and expertise of your U-M colleagues, including IA. See Communities of Practice for Information Security Standards.
  • Unit-Specific Implementation Planning Meetings. Units and departments can schedule individual implementation planning meetings with IA staff by emailing
  • Compliance Using ITS Services. Units may find it easier and more efficient to use ITS services that are already aligned to specified requirements. See the Safe Computing Sensitive Data Guide to IT Services.

SULs Are Facilitating

IA has asked each unit's Security Unit Liaison (SUL) to facilitate and coordinate their unit’s implementation planning. Specific objectives of this work include:

  • Reviewing the policy and standards to understand how they will apply in each unit (for example, many requirements apply only to sensitive institutional data classified as High or Restricted)
  • Planning how to meet the minimum security requirements applicable to information systems
  • Soliciting and incorporating input of unit IT staff, administrative and business system administrators, faculty, and/or researchers
  • Collaborating to identify potential resource needs or constraints
  • Determining how to best apprise unit leadership of progress