Protect Your Unit's IT

Policy & Standards

U-M’s information security policy and 13 supporting standards balance protecting U-M information systems and data; maintaining an open environment for teaching, learning, and research; and ensuring the university's core missions and institutional priorities remain paramount. Each standard is supported by supplemental guidance and documentation to help units meet the minimum security requirements as identified in the policy and standards.

  • Access, Authorization, and Authentication
    Ensure that the right people have the right access to the right things at the right time while applying appropriate security controls.
  • Awareness, Training, and Education
    Tips, training, and more that you can use and share to help you protect sensitive university data as well as your own personal information.
  • Backup U-M Data
    All U-M units and research programs on all campuses are required to backup university data.
  • Disaster Recovery Management
    Follow this guidance to determine the scope of required planning and use provided templates to help ensure everything is covered.
  • Encryption
    Use encryption to protect data from accidental exposure, theft, or compromise.
  • Hardening Guides & Tools
    Follow these instructions to ready your servers, databases, and applications to handle sensitive data.
  • Information Security Risk Management
    Identify, assess, and limit threats to the university’s most important information systems and data.
  • Network Security Management
    Ensure the confidentiality and integrity of data in transit over IT networks.
  • Physical Security
    Create a secure physical environment for IT systems to reduce the risk of theft or loss of U-M data.
  • Secure Coding and Application Security
    Follow best practices and use testing services when developing and hosting applications that handle U-M data.
  • Securely Dispose of U-M Data and Devices
    Properly erase university devices for disposal or transfer.
  • Security Log Management
    Information captured by logs can be critical in supporting incident response or a forensic analysis in the event of a suspected data breach, IT security incident, or other legally mandated investigations.
  • Third Party Vendor Security & Compliance
    When you select a vendor, make sure they meet compliance requirements. Also include appropriate IT security and privacy agreements in your contract.
  • Vulnerability Management
    Vulnerability scans, alerts, and penetration testing help you know what to mitigate.