In summer 2018, the revised Information Security (SPG 601.27) policy was published, along with a number of supporting IT standards.The policy and accompanying standards represent the most comprehensive revision of the university’s information security program since its inception over a decade ago.
- Phased Compliance. All university units are participating in a two-year phased implementation process leading toward full compliance as of December 31, 2020.
- Shared Responsibility. The policy and standards rely on a shared responsibility model in which the U-M community is expected to play its part protecting U-M’s critical IT infrastructure and data assets.
- Information Assurance Support. Information Assurance (IA) staff are meeting with university stakeholders, IT governance groups, and others throughout the fall term to outline the implementation planning process.
Support from IA
IA will work with and support all U-M campuses and Michigan Medicine throughout the implementation. Here are some initial opportunities and resources:
- Guidance on Safe Computing. Detailed guidance, documentation, and tools to support compliance with the policy and standards are being developed and published to the Safe Computing website under Protect Your Unit’s IT. Additional content will be added during the implementation period.
- Standards Working Sessions. IA is offering working sessions for unit IT staff and others. Each session consists of a detailed walk-through of the requirements for one or two standards, along with opportunities for questions and individual consultations. Upcoming standards working sessions and materials from previous sessions are at SPG 601.27 Implementation Presentations.
- Communities of Practice. IA has set up joinable MCommunity groups to service as communities of practice where you can access the collective wisdom and expertise of your U-M colleagues, including IA. See Communities of Practice for Information Security Standards.
- Unit-Specific Implementation Planning Meetings. Units and departments can schedule individual implementation planning meetings with IA staff by emailing firstname.lastname@example.org.
- Compliance Using ITS Services. Units may find it easier and more efficient to use ITS services that are already aligned to specified requirements. See the Safe Computing Sensitive Data Guide to IT Services.
SULs to Facilitate
IA is asking each unit's Security Unit Liaison (SUL) to facilitate and coordinate their unit’s implementation planning. Specific objectives of this work include:
- Reviewing the policy and standards to understand how they will apply in each unit (for example, many requirements apply only to sensitive institutional data classified as High or Restricted)
- Planning how to meet the minimum security requirements applicable to information systems
- Soliciting and incorporating input of unit IT staff, administrative and business system administrators, faculty, and/or researchers
- Collaborating to identify potential resource needs or constraints
- Determining how to best apprise unit leadership of progress