Every unit, school, and college has a staff member designated as a Security Unit Liaison (SUL), serving as that unit's primary IT security contact. To find the SUL for your unit, see the Security Unit Liaison Directory.
Information Security (SPG 601.27) establishes the expectation that units share in the responsibility to protect the information assets controlled by the university.
Deans or directors appoint SULs for their units. SULs serve as a focal point for coordinating information security activities within the unit and act as the main interface between the unit and Information Assurance (IA). Large, complex units, or those with multiple independent sub-units, may choose to appoint more than one SUL to ensure coverage of all areas.
An SUL should have a strong interest in IT security and compliance and must have the influence or authority within their unit to ensure that U-M IT security standards and practices are being implemented and followed. A background in information technology is helpful, but it is not required for the role.
In general, SULs are expected to commit to a minimum two-year term with an average time commitment of four to ten hours per month, depending on the size, complexity, and number of SULs in their unit. An SUL can delegate specific tasks to others in their unit but maintains the responsibility of ensuring that all tasks are completed in a timely manner.
SULs are responsible for:
- Regularly communicating with unit leadership on security related issues and alerting leadership of security risks and needed risk mitigation.
- Leveraging IA services to meet unit requirements and support unit missions.
- Ensuring their unit has established and regularly reviews appropriate unit-level security procedures in accordance with U-M policies and standards.
- Coordinating information security education and awareness for their unit.
- Sharing email, communications, and security awareness materials from IA and other sources with their unit.
- Promoting awareness and education of security policies and guidelines.
- Serving as the primary contact for monitoring and auditing of information security policy implementation.
- Providing ongoing feedback to IA of special security needs, priorities, and concerns, including possible improvements for processes, services, and technologies.
- Assisting IA in the maintenance of an inventory of sensitive and critical information assets within their unit(s) as well as any unit-unique regulatory requirements.
SULs are responsible for ongoing and recurring specific information security activities in their unit(s), including:
- Understanding incident reporting policies, ensuring security incidents are reported to IA in a timely manner, and acting as the focal point for incident management in the unit.
- Assisting with RECON risk assessments by clarifying scopes, identifying subject matter experts and system owners within their unit(s), and helping collect information as needed.
- Collaborating with IA to resolve issues identified in Vulnerability Scanning reports, Sensitive Data Discovery reports, Risk Treatment Plans following RECON, and other IA-generated reports.
- Ensuring unit-unique services or applications have appropriate IT security controls implemented according to the Minimum Information Security Requirements for Systems, Applications, and Data.
- Identifying awareness, training, and education topics that would benefit their unit(s), and promoting IT security awareness among unit faculty and staff.
- Sharing IA security alerts, advisories, and notices with unit faculty and staff.
- Attending quarterly SUL and/or IT Security Community meetings..
- Working with unit leadership to answer annual Internal Controls information assurance certification question as part of the Internal Control Annual Certification Process.
- Coordinating with unit faculty and researchers in planning for information security requirements included in research grants and contracts.