Security Unit Liaisons

Slides from previous  IT Security Community Meetings are available to members of the IT Security Community.

Every unit, school, and college has a staff member designated as a Security Unit Liaison (SUL), serving as that unit's primary IT security contact. To find the SUL for your unit, see the Security Unit Liaison Directory. (U-M Login Required)

Information Security (SPG 601.27) establishes the expectation that units share in the responsibility to protect the information assets controlled by the university.

Appointments/Terms

  • Deans or their equivalent/designate appoint SULs for their units.
  • Large, complex units, or those with multiple independent sub-units, may choose to appoint more than one SUL to ensure coverage of all areas.
  • In general, SULs are expected to commit to a minimum two-year term with an average time commitment of four to ten hours per month, depending on the size, complexity, and number of SULs in their unit.
  • An SUL can delegate specific tasks to others in their unit but maintains the responsibility of ensuring that all tasks are completed in a timely manner.

Characteristics of an SUL

  • An SUL should have a strong interest in IT security and compliance
  • SULs must have the influence or authority within their unit to ensure that U-M IT security standards and practices are being implemented and followed.
  • A background in information technology is helpful, but it is not required for the role.

General Responsibilities

At a high level, SULs are responsible for:

  • Distributing communication and creating awareness
  • Coordinating implementation and maintenance of appropriate IT security controls
  • Supporting the university’s IT security posture.

Communication and Awareness

Responsibilities

  • Regularly communicating with unit leadership on security related issues and alerting leadership of security risks and needed risk mitigation.
  • Coordinating information security education and awareness for their unit.
  • Providing ongoing feedback to IA on special security needs, priorities, and concerns, including possible improvements for processes, services, and technologies.

Tasks

  • Identify awareness, training, and education topics that would benefit their unit(s).
  • Share email, communications, and IA security alerts, advisories, and notices with unit faculty and staff.
  • Attend quarterly IT Security Community meetings.
  • Promote awareness of U-M IT security policies and standards.
  • Share security-related updates and best practices from the Safe Computing Newsletter and the Safe Computing website with units, as appropriate.
  • Utilize IA-provided awareness materials such as digital signs, posters, swag and social media posts to share information with unit faculty and staff.
  • Provide feedback to IA when additional materials are needed.

IT Security Controls

Responsibilities

  • Serve as the primary contact for monitoring and auditing of information security policy implementation.
  • Authorize and approve appropriate access to IT security tools and Active Directory resources.

Tasks

IT Security Posture

Responsibilities

  • Support the implementation of IA services and capabilities and leverage them to meet unit requirements.
  • Ensure their unit has established and regularly reviews appropriate security procedures.

Tasks

  • Understand incident reporting policies, ensuring security incidents are reported to IA in a timely manner, and acting as the focal point for incident management in the unit.
  • Assist with RECON risk assessments by clarifying scopes, identifying subject matter experts and system owners within their unit(s), and helping collect information as needed.
  • Collaborate with IA to resolve issues identified in Vulnerability Scanning reports, Sensitive Data Discovery reports, Risk Treatment Plans following RECON, and other IA-generated reports.
  • Coordinate with unit faculty and researchers in planning for information security requirements included in research grants and contracts.