Responsibilities and Expectations for Self-Managing U-M Devices

Faculty and staff who self-manage a U-M computer or device are responsible for implementing appropriate security controls, following best practices, and configuring their device to minimize potential security risks, similar to what is expected of a user accessing U-M sensitive data on a personally owned device.

You may not access or store data classified as Restricted on any self-managed device.

If you have trouble implementing any of the security controls below, contact your unit IT staff for assistance. Unit IT staff will contact Information Assurance (IA) via the ITS Service Center as needed.

Specific responsibilities for self-managing a U-M device include:

  • Data classified as High and Moderate must be secured as outlined in Protect Sensitive Data and following the guidelines in the Minimum Information Security Requirements for Systems, Applications, and Data.
  • Protect U-M networks by not connecting a device that is out of date to the network. Work with your unit IT staff to put safeguards in place such as a private network or appropriate firewalls if the device needs to connect to other devices.
  • When outside the U-M network, connect using the U-M VPN. Do not use free wireless networks or off-campus networks without the VPN. 
  • Implement full disk encryption. If you cannot implement full disk encryption, work with unit IT staff on compensating controls for your machine. 
  • Protect devices that cannot be updated by not connecting them to any outside (non-UM) network.
  • Keep your operating system and other software up-to-date. Software updates include patches for newly identified vulnerabilities and other important security updates.
  • If an IA vulnerability scan finds a Critical or High vulnerability with your device, fix the issue immediately. If fixing the issue would hinder using the device (such as changing a setting that would prevent research software from running), contact IA for suggestions on how to limit risk.
  • Use antivirus software. Follow the guidance for Anti-virus for U-M Computers to protect a self-managed computer.
  • Back up your data. The university offers several file storage options (both free and fee-based) that you can use. Check the Sensitive Data Guide to see which services are appropriate for certain types of sensitive institutional data. U-M data must be backed up to a U-M device or service.
  • Manage passwords by following this guidance
  • Choose web browser security settings that protect privacy and enhance security.
  • Comply with all applicable U-M IT policies, including Responsible Use of Information Resources (SPG 601.07) and Information Security (SPG 601.27).
  • Secure your device by achieving a CIS-CAT score of 80% or greater and carry out operating system-appropriate hardening guidelines recommended by the CIS-CAT tool.
  • Configure and activate a personal firewall to help insulate the device from network-based viruses and worms.
  • Do not use account with elevated administrator access for day-to-day, routine activities.
  • Ensure that all software installed on the computer is in compliance with Software Procurement and Licensing Compliance (SPG 601.03-3).
  • Promptly report a compromised account or other security incident to the ITS Service Center.