Security Unit Liaisons

Every unit, school, and college has a staff member designated as a Security Unit Liaison (SUL), serving as that unit's primary IT security contact. To find the SUL for your unit, see the Security Unit Liaison Directory. (U-M Login Required)

Information Security (SPG 601.27) establishes the expectation that units share in the responsibility to protect the information assets controlled by the university.

Appointments/Terms

• Deans or their equivalent/designate appoint SULs for their units.
• Large, complex units, or those with multiple independent sub-units, may choose to appoint more than one SUL to ensure coverage of all areas.
• In general, SULs are expected to commit to a minimum two-year term with an average time commitment of four to ten hours per month, depending on the size, complexity, and number of SULs in their unit.
• An SUL can delegate specific tasks to others in their unit but maintains the responsibility of ensuring that all tasks are completed in a timely manner.

Characteristics of an SUL

• An SUL should have a strong interest in IT security and compliance
• SULs must have the influence or authority within their unit to ensure that U-M IT security standards and practices are being implemented and followed.
• A background in information technology is helpful, but it is not required for the role.

At a high level, SULs are responsible for:

• Distributing communication and creating awareness
• Coordinating implementation and maintenance of appropriate IT security controls
• Supporting the university’s IT security posture.

Communication and Awareness

Responsibilities

• Regularly communicating with unit leadership on security related issues and alerting leadership of security risks and needed risk mitigation.
• Coordinating information security education and awareness for their unit.
• Providing ongoing feedback to IA on special security needs, priorities, and concerns, including possible improvements for processes, services, and technologies.

Tasks

• Identify awareness, training, and education topics that would benefit their unit(s).
• Share email, communications, and IA security alerts, advisories, and notices with unit faculty and staff.
• Attend quarterly IT Security Community meetings.
• Promote awareness of U-M IT security policies and standards.
• Share security-related updates and best practices from the Safe Computing Newsletter and the Safe Computing website with units, as appropriate.
• Utilize IA-provided awareness materials such as digital signs, posters, swag and social media posts to share information with unit faculty and staff.
• Use the ITS-Safe Computing and IA Training form to provide feedback to IA when additional materials or updates to content are needed. 

IT Security Controls

Responsibilities

• Serve as the primary contact for monitoring and auditing of information security policy implementation.
• Authorize and approve appropriate access to IT security tools and Active Directory resources.

Tasks

• Ensure unit-unique services or applications have appropriate IT security controls implemented according to the Minimum Information Security Requirements for Systems, Applications, and Data.
• Approve access to certain IT security tools, for example CrowdStrike Falcon.
• Authorize delegated privileged access for managing unit resources in AD.
• Work with unit leadership to answer the annual Internal Controls information assurance certification question as part of the Internal Control Annual Certification Process.

IT Security Posture

Responsibilities

• Support the implementation of IA services and capabilities and leverage them to meet unit requirements.
• Ensure their unit has established and regularly reviews appropriate security procedures.

Tasks

• Understand incident reporting policies, ensuring security incidents are reported to IA in a timely manner, and acting as the focal point for incident management in the unit.
• Assist with RECON risk assessments by clarifying scopes, identifying subject matter experts and system owners within their unit(s), and helping collect information as needed.
• Collaborate with IA to resolve issues identified in Vulnerability Scanning reports, Sensitive Data Discovery reports, Risk Treatment Plans following RECON, and other IA-generated reports.
• Coordinate with unit faculty and researchers in planning for information security requirements included in research grants and contracts.

Required Training

This training is required for new SULs as part of the onboarding process for the role. Beginning October 2025, current SULs are required to complete the courses every two years, based on the date they were last completed.

• SUL100: Role and Responsibilities
  Describes the role, overall expectations, how SULs coordinate security activities within the unit and in collaboration with IA, and highlights key responsibilities with scenarios.

• SUL101: Incident Response at U-M
  Outlines the goals of incident response at U-M, defines what a security incident is and what makes it serious (per SPG 601.25), provides initial steps to take when responding to an incident, and describes the overall incident response process.

• SUL102: IT Security Administration at U-M 
  Highlights capabilities IA offers in the areas of vulnerability management, endpoint protection, sensitive data discovery, and network security, and describes the SUL role in ensuring these capabilities are utilized in order to improve the unit’s security posture.

• SUL103: IT Security Risk Management at U-M
  Provides an overview of the Information Security Risk Management process, describes when RECONs (Risk Evaluations of Computers and Open Networks) are required, and guides SULs through the process of performing risk evaluations.