Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Access, Authentication, and Authorization Management
U-M Standard: Access, Authentication, and Authorization Management (DS-22)
Guidance: Access, Authorization, and Authentication
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Uniquely identify individual system users
|
|
Required
|
Required
|
Required
|
|
| Include responsible use notification and user acknowledgment at login
|
|
Required
|
Required
|
Required
|
|
| Grant the minimum, sufficient access or privileges
|
|
Required
|
Required
|
Required
|
|
| Separate duties related to granting of access
|
|
Required
|
Required
|
Required
|
|
| Require training and agreement prior to access
|
|
Required
|
Required
|
Required
|
|
| Employ role-based access controls
|
|
Required
|
Required
|
|
|
| (Users) Access sensitive data only as necessary for job duties
|
|
Required
|
Required
|
Required
|
|
| (Users) Log out or lock unattended workstations
|
|
Required
|
Required
|
Required
|
|
| Revoke access upon termination of personnel appointments
|
|
Required
|
Required
|
Required
|
|
| Review accounts at least annually
|
|
Required
|
Required
|
Required
|
|
| Meet related regulatory and/or contractual obligations
|
|
Required
|
Required
|
Required
|
|
| Designate owners to manage privileged accounts
|
|
Required
|
Required
|
Required
|
|
| Designate owners to manage shared accounts
|
|
Required
|
Required
|
Required
|
|
| Encrypt authentication and authorization mechanisms
|
|
Required
|
Required
|
Required
|
|
| Manage passwords and password processing securely
|
|
Required
|
Required
|
Required
|
|
| Enable session lock after inactivity
|
|
Required
|
Required
|
|
|
| Require two-factor authentication for system access
|
|
Required
|
Required
|
|
|
Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Awareness, Training, and Education
U-M Standard: Information Assurance Awareness, Training, and Education (DS-16)
Guidance: Training, Education & Awareness
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Establish training requirements for those having access to sensitive data
|
|
Required
|
Required
|
Required
|
Recommended
|
| Address training participation in performance management processes
|
|
Recommended
|
Recommended
|
Recommended
|
Recommended
|
| Maintain records of participation in required training
|
|
Recommended
|
Recommended
|
Recommended
|
Recommended
|
Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Disaster Recovery Planning and Data Backup for Information Systems and Services
U-M Standard: Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12)
Guidance: Disaster Recovery Management, Back Up U-M Data
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Identify mission critical systems
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Develop, implement and test DR plans for critical systems
|
Required
|
|
|
|
|
| Review DR plans and subsequently update/test as necessary
|
Required
|
|
|
|
|
| Evaluate new systems prior to go-live
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Incorporate a disaster risk assessment
|
Required
|
|
|
|
|
| Establish DR performance objectives
|
Required
|
|
|
|
|
| Align data backup procedures with DR objectives
|
Required
|
Required
|
Required
|
|
|
| Ensure DR plan availability
|
Required
|
|
|
|
|
| Identify primary responsibility for data backup
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Ensure backups are encrypted
|
|
Required
|
Required
|
Recommended
|
|
| Ensure contracts with vendors include DR and data backup SLAs
|
Required
|
Required
|
Required
|
|
|
Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Electronic Data Disposal and Media Sanitization
U-M Standard: Electronic Data Disposal and Media Sanitization (DS-11)
Guidance: Securely Dispose of U-M Data and Devices
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Sanitize device/storage media before transfer
|
|
Required
|
Required
|
Required
|
Required
|
| Ensure sanitization methods meet the Standard's requirements
|
|
Required
|
Required
|
Required
|
Required
|
| Retain certificates of sanitization for 3 years
|
|
Required
|
Required
|
Required
|
Required
|
| Remove licensed software from device/storage media before transfer
|
|
Required
|
Required
|
Required
|
Required
|
Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Encryption
U-M Standard: Encryption (DS-15)
Guidance: Encryption
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Use encryption that meets NIST FIPS minimum requirements
|
|
Required
|
Required
|
Required
|
Recommended
|
| Encrypt data at rest in data centers
|
|
Recommended
|
Recommended
|
Recommended
|
Recommended
|
| Encrypt data at rest in machine rooms
|
|
Required
|
Required
|
Recommended
|
Recommended
|
| Encrypt data at rest on portable and removable storage media
|
|
Required
|
Required
|
Recommended
|
Recommended
|
| Encrypt data at rest on laptops (UM-owned)
|
|
Required
|
Required
|
Recommended
|
Recommended
|
| Encrypt data at rest on desktops (UM-owned)
|
|
Required
|
Recommended
|
Recommended
|
Recommended
|
| Encrypt data at rest with cloud providers
|
|
Required
|
Required
|
Recommended
|
Recommended
|
| Encrypt data at rest on personally owned devices; data classified as Restricted may not be stored on such devices.
|
|
Not Allowed
|
Required
|
Recommended
|
Recommended
|
| Encrypt all CUI data at rest
|
|
|
Required
|
|
|
| Encrypt data backups outside U-M data centers
|
|
Required
|
Required
|
|
|
| Encrypt data in transit within U-M campuses
|
|
Recommended
|
Recommended
|
Recommended
|
Recommended
|
| Encrypt data in transit between U-M campuses
|
|
Required
|
Required
|
Recommended
|
Recommended
|
| Encrypt data in transit outside U-M campuses
|
|
Required
|
Required
|
Recommended
|
Recommended
|
| Implement an appropriate key management plan
|
|
Required
|
Required
|
Recommended
|
Recommended
|
| Comply with applicable export/import laws and regulations
|
|
Required
|
Required
|
|
|
Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Information Security Risk Management
U-M Standard: Information Security Risk Management (DS-13)
Guidance: Information Security Risk Management
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Categorize IT assets according to their sensitivity and criticality
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Conduct risk assessments annually
|
|
Required
|
|
|
|
| Conduct risk assessments every four years
|
Required
|
|
Required
|
Recommended
|
Recommended
|
| Conduct a risk assessment soon after a serious IT security incident
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Conduct any risk assessments required by regulation or law
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Use RECON or other approved tool(s) for any required risk assessments
|
Required
|
Required
|
Required
|
Recommended
|
Recommended
|
| Provide IA with results of unit-conducted risk assessments
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Maintain risk assessment data as confidential, classified as High
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Develop post-assessment plans to reduce risks to acceptable levels
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Implement the appropriate risk-reducing controls
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Authorize acceptance of unmitigated risks
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Assist IA with tracking Risk Treatment Plan progress
|
Required
|
Required
|
Required
|
Required
|
Required
|
Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Network Security
U-M Standard: Network Security (DS-14)
Guidance: Network Security Management
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Implement default-deny, least-privilege policies on network firewalls
|
Required
|
Required
|
Required
|
Required
|
|
| Isolate trusted networks containing sensitive data from non-trusted networks
|
|
Required
|
Required
|
Required
|
|
| Securely configure network infrastructure devices
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Maintain accurate network documentation
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Document network interconnects to non-UM parties
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Protect devices not requiring exposure to the internet
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Restrict vendor remote network access to the smallest segment feasible
|
Required
|
Required
|
Required
|
Required
|
Recommended
|
| Obtain authorization before extending any U-M networks
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Encrypt wireless network traffic
|
|
Required
|
Required
|
Required
|
|
Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Physical Security
U-M Standard: Physical Security (DS-17)
Guidance: Physical Security
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Document and implement physical security procedures, train faculty and staff
|
|
Required
|
Required
|
Recommended
|
Recommended
|
| Formalize procedures for granting access to U-M/unit data centers
|
|
Required
|
Required
|
Recommended
|
Recommended
|
| Limit physical access to systems containing PHI
|
|
|
Required
|
|
|
| Restrict physical access to only those authorized
|
|
Required
|
Required
|
|
|
| Maintain accurate lists of those authorized to access secure locations
|
|
Required
|
Required
|
|
|
| Review authorization lists regularly
|
|
Required
|
Required
|
|
|
| Implement appropriate access control mechanisms and logging
|
|
Required
|
Required
|
|
|
| Place sensitive/critical equipment in access-controlled areas
|
Required
|
Required
|
Required
|
Required
|
|
| Prohibit sharing of access credentials
|
|
Required
|
Required
|
|
|
| Require that personnel identification be displayed within secured locations
|
|
Required
|
Required
|
|
|
| Implement 24/7 video surveillance
|
|
Required
|
Required
|
|
|
| Escort authorized vendors/visitors within secured locations
|
|
Required
|
Required
|
|
|
| Log all vendor/visitor access to secured locations
|
|
Required
|
Required
|
|
|
| Prohibit food and drink in secured locations
|
|
Required
|
Required
|
|
|
| Document maintenance activities and maintain records for three years
|
|
Required
|
Required
|
|
|
| Lock doors after business hours and when unattended
|
|
Required
|
Required
|
|
|
| Install output devices where they cannot be accessed by unauthorized parties
|
|
Required
|
Required
|
Required
|
|
| Store unencrypted media containing sensitive data in secure locations
|
|
Required
|
Required
|
Required
|
|
| Develop and maintain disaster recovery and contingency plans
|
|
Required
|
Required
|
|
|
| Place power equipment and cabling in safe locations
|
|
Required
|
Required
|
|
|
| Install emergency power shutoff mechanisms in appropriate locations
|
|
Required
|
Required
|
|
|
| Implement uninterruptible power supply (UPS)
|
|
Required
|
Required
|
|
|
| Install and maintain fire detection and suppression
|
|
Required
|
Required
|
|
|
| Install, maintain, and monitor temperature and humidity controls
|
|
Required
|
Required
|
|
|
| Protect processing equipment from potential water leakage
|
|
Required
|
Required
|
|
|
Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Secure Coding and Application Security
U-M Standard: Secure Coding and Application Security (DS-18)
Guidance: Secure Coding and Application Security
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Use Production, Staging, Test, and Development environments
|
|
Required
|
Required
|
Required
|
|
| Exclude sensitive data from Test and Dev, or obtain IA permission
|
|
Required
|
Required
|
Recommended
|
|
| Define security requirements early in the SDLC and evaluate compliance
|
|
Required
|
Required
|
Required
|
|
| Use the latest available external or third-party components
|
|
Required
|
Required
|
Required
|
|
| Avoid dynamic inclusion of software
|
|
Required
|
Required
|
Required
|
|
| Validate application input
|
|
Required
|
Required
|
Required
|
|
| Execute proper error handling
|
|
Required
|
Required
|
Required
|
|
| Authenticate users through central AuthN/AuthZ systems
|
|
Required
|
Required
|
Recommended
|
|
| Implement two-factor authentication
|
|
Required
|
Required
|
Recommended
|
|
| Control access based on roles and the principle of least privilege
|
|
Recommended
|
Recommended
|
Recommended
|
|
| Review individually-granted access annually
|
|
Required
|
Required
|
Recommended
|
|
| Provide for automated review of authorizations where possible
|
|
Required
|
Required
|
Recommended
|
|
| Encrypt external transmission of data
|
|
Required
|
Required
|
Recommended
|
|
| Implement application logs with important event data
|
|
Required
|
Required
|
Required
|
|
| Conduct code security reviews/audits for new or changed applications
|
|
Required
|
Required
|
Recommended
|
|
| Use effective quality assurance techniques prior to go-live
|
|
Required
|
Required
|
Recommended
|
|
| Remove obsolete or no longer supported or needed software
|
|
Required
|
Required
|
Required
|
|
| Implement and maintain a change management process
|
|
Required
|
Required
|
Recommended
|
|
Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Security Log Collection, Analysis, and Retention
U-M Standard: Security Log Collection, Analysis, and Retention (DS-19)
Guidance: Security Log Management
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Enable logging for endpoints (workstations, desktops)
|
|
Required
|
Recommended
|
Recommended
|
Recommended
|
| Enable logging for all other systems (non-endpoint)
|
|
Required
|
Required
|
Required
|
Recommended
|
| Include essential events and elements in logs
|
|
Required
|
Required
|
Required
|
Recommended
|
| Consult Sensitive Data Guide to ensure appropriate storage of log data
|
|
Required
|
Required
|
Required
|
|
| Restrict log access to authorized individuals
|
|
Required
|
Required
|
Required
|
Required
|
| Protect log data from unauthorized changes and operational problems
|
|
Required
|
Required
|
Required
|
Recommended
|
| Automate alerting on logging failures
|
|
Required
|
Required
|
Recommended
|
Recommended
|
| Send local logs to IA SEIM, meeting minimum delay requirements
|
|
Required
|
Required
|
|
|
| Retain log data for duration required by policy and law
|
|
Required
|
Required
|
Required
|
|
| Keep security logs immediately available for 90 days
|
|
Required
|
Required
|
Required
|
Recommended
|
| Purge unneeded logs securely
|
|
Required
|
Required
|
Required
|
Recommended
|
Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Security of Enterprise Application Integration
U-M Standard: Security of Enterprise Application Integration (DS-09)
Guidance: Access, Authorization, and Authentication
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Identify a single business need or application for each integration
|
|
Required
|
Required
|
Required
|
Required
|
| Restrict the lifespan of integration credentials to one year or less
|
|
Required
|
Required
|
Required
|
Required
|
| Use data only for the limited and specific purpose described in the request
|
|
Required
|
Required
|
Required
|
Required
|
| Designate an owner and co-owner for each integration
|
|
Required
|
Required
|
Required
|
Required
|
| Limit admin privileges to owners and to those they specifically authorize
|
|
Required
|
Required
|
Required
|
Required
|
| Handle data received via API according to Information Security (SPG 601.27)
|
|
Required
|
Required
|
Required
|
Required
|
| Require attestation to Institutional Data Access and Compliance Agreement
|
|
Required
|
Required
|
Required
|
Required
|
| Control access based on authorization, least privilege, and limited duration
|
|
Required
|
Required
|
Required
|
Required
|
| Leverage MCommunity for authentication of users
|
|
Required
|
Required
|
Required
|
Required
|
| Ensure local data storage receives updates from authoritative data source
|
|
Required
|
Required
|
Required
|
Required
|
| Terminate access or elevated privileges promptly upon role change
|
|
Required
|
Required
|
Required
|
Required
|
| Adhere to incident reporting requirements for all facets of the integration
|
|
Required
|
Required
|
Required
|
Required
|
Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Third Party Vendor Security and Compliance
U-M Standard: Third Party Vendor Security and Compliance (DS-20)
Guidance: Third Party Vendor Security & Compliance
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Adhere to U-M's Vendor Security and Compliance Assessment process
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Continuously manage vendor security compliance
|
Required
|
Required
|
Required
|
Required
|
Required
|
Icon Key:
- checkmark circle icon Required
- checkmark icon Recommended
Vulnerability Management
U-M Standard: Vulnerability Management (DS-21)
Guidance: Vulnerability Management
| Security Control |
Mission Critical? |
Restricted |
High |
Moderate |
Low |
| Conduct vulnerability scans at least monthly
|
|
Required
|
Required
|
|
|
| Prioritize remediation/mitigation based on severity
|
Required
|
Required
|
Required
|
Required
|
Required
|
| Develop corrective action plans for identified vulnerabilities
|
Required
|
Required
|
Required
|
Required
|
Required
|
