Every unit, school, and college has a staff member designated as a Security Unit Liaison (SUL), serving as that unit's primary IT security contact. To find the SUL for your unit, see the Security Unit Liaison Directory. (U-M Login Required)
Information Security (SPG 601.27) establishes the expectation that units share in the responsibility to protect the information assets controlled by the university.
Appointments/Terms
- Deans or their equivalent/designate appoint SULs for their units.
- Large, complex units, or those with multiple independent sub-units, may choose to appoint more than one SUL to ensure coverage of all areas.
- In general, SULs are expected to commit to a minimum two-year term with an average time commitment of four to ten hours per month, depending on the size, complexity, and number of SULs in their unit.
- An SUL can delegate specific tasks to others in their unit but maintains the responsibility of ensuring that all tasks are completed in a timely manner.
Characteristics of an SUL
- An SUL should have a strong interest in IT security and compliance
- SULs must have the influence or authority within their unit to ensure that U-M IT security standards and practices are being implemented and followed.
- A background in information technology is helpful, but it is not required for the role.
General Responsibilities
At a high level, SULs are responsible for:
- Distributing communication and creating awareness
- Coordinating implementation and maintenance of appropriate IT security controls
- Supporting the university’s IT security posture.
Communication and Awareness
Responsibilities
- Regularly communicating with unit leadership on security related issues and alerting leadership of security risks and needed risk mitigation.
- Coordinating information security education and awareness for their unit.
- Providing ongoing feedback to IA on special security needs, priorities, and concerns, including possible improvements for processes, services, and technologies.
Tasks
- Identify awareness, training, and education topics that would benefit their unit(s).
- Share email, communications, and IA security alerts, advisories, and notices with unit faculty and staff.
- Attend quarterly IT Security Community meetings.
- Promote awareness of U-M IT security policies and standards.
- Share security-related updates and best practices from the Safe Computing Newsletter and the Safe Computing website with units, as appropriate.
- Utilize IA-provided awareness materials such as digital signs, posters, swag and social media posts to share information with unit faculty and staff.
- Provide feedback to IA when additional materials are needed.
IT Security Controls
Responsibilities
- Serve as the primary contact for monitoring and auditing of information security policy implementation.
- Authorize and approve appropriate access to IT security tools and Active Directory resources.
Tasks
- Ensure unit-unique services or applications have appropriate IT security controls implemented according to the Minimum Information Security Requirements for Systems, Applications, and Data.
- Approve access to certain IT security tools, for example CrowdStrike Falcon.
- Authorize delegated privileged access for managing unit resources in AD.
- Work with unit leadership to answer the annual Internal Controls information assurance certification question as part of the Internal Control Annual Certification Process.
IT Security Posture
Responsibilities
- Support the implementation of IA services and capabilities and leverage them to meet unit requirements.
- Ensure their unit has established and regularly reviews appropriate security procedures.
Tasks
- Understand incident reporting policies, ensuring security incidents are reported to IA in a timely manner, and acting as the focal point for incident management in the unit.
- Assist with RECON risk assessments by clarifying scopes, identifying subject matter experts and system owners within their unit(s), and helping collect information as needed.
- Collaborate with IA to resolve issues identified in Vulnerability Scanning reports, Sensitive Data Discovery reports, Risk Treatment Plans following RECON, and other IA-generated reports.
- Coordinate with unit faculty and researchers in planning for information security requirements included in research grants and contracts.