Because of its unique needs, Michigan Medicine has specific IT security standards that must be met according to Federal, State, and Organizational policies and regulations. The resources below are designed for Michigan Medicine employees managing IT systems or services, most commonly known as Trusted Service Providers (TSPs) and provide additional guidance on some of the most common Information Assurance (IA) processes TSPs will encounter.
New Data Classification Self Assessment Tool
A new Data Classification Self Assessment tool helps identify the classification level of the data you are working with so that you can plan to store or process it securely. The tool is designed to align with existing Safe Computing guidance and tools, such as the Sensitive Data Guide, and help with informed decisions about how best to protect U-M's data.
The new data classification tool features questions about the data you are working with, and employs logic based on your answers to suggest data sensitivity level and applicable laws and regulations that govern it, or direct you to contact IA for further assessment.
It is important to remember that the results of the self assessment are meant to give you guidance as you prepare to work with institutional or research data. They are not dispositive and do not represent a final decision on the classification of the data. For data classified as High or Restricted, or for help with the classification of particularly sensitive and/or complex data, contact IA through the ITS Service Center. You can learn more about About Data Classification on the Safe Computing website.
IA is committed to offering data protection solutions for the U-M community. We hope that Data Classification Self Assessment will be another tool that helps you as we work to meet our shared responsibility to protect U-M's valuable digital assets.
I’m trying to…
Submit an MMIAR
All IT systems connecting to organizational IT resources first need to be screened. Click here to review the Michigan Medicine Investment Assurance Request (MMIAR) requirements and Vendor Selection information.
Manage IT Vulnerabilities
All IT systems are routinely scanned for vulnerabilities. Click here for the process and requirements for reviewing and remediating vulnerabilities — or requesting exceptions for fixes that cannot be applied within the required timeframes.
Manage Risk Assessments
All IT systems must periodically undergo updated risk (controls) assessments. Click here for the process and requirements for managing risk assessments.
Submit an RDR
The Risk Decision Request (RDR) is how TSPs request to keep an IT system or service connected to Michigan Medicine IT resources when a vulnerability on that system cannot be resolved in the designated timeframe.
Comprehensive IA Assured Vendor List
Sometimes, using a pre-assessed vendor is not always possible - in these cases, a separate MMIAR will need to be completed on the vendor themselves. In order to satisfy the MMIAR requirement of having a ServiceNow Configuration Item (CI), a vendor must be created and added to ServiceNow if they have not been already.
Review IA Change & Release
The IA Change & Release effort is a collaborative publication with IA partners (HITS & TSPs) to review minor IA process changes monthly. Click here for current and archived IA Change & Release Notes.