As the university’s digital environment evolves in response to global technological developments and the needs of the U-M community, so do our cybersecurity practices and underlying IT policies and standards.
Here is a roundup of the IT policies and standards that were updated in 2025:
- Network Security (DS-14): updated in February 2025 to establish requirements for use of the U-M network and VPN, update roles and responsibilities, and strengthen network protection mechanisms.
- Security Log Collection, Analysis, and Retention (DS-19): updated in June 2025 to incorporate changes in logging configuration requirements.
- Access, Authorization, and Authentication Management (DS-22): updated in June 2025 to require two-factor authentication for remote access to U-M systems.
- Institutional Data Stewardship Policy (SPG 601.12): revised in August 2025 to reflect changes to technology and the U-M Data Governance Framework.
- Information Security Incident Reporting (SPG 601.25): updated in August 2025 to make it clearer and more concise.
- Information Assurance Awareness, Training, and Education (DS-16): updated in October 2025 to clarify annual training requirements for faculty, staff, and workforce members.
- Endpoint Security Administration (DS-23): updated in November 2025 to include a requirement for information security support.
In early 2026, we published an update to Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33) to adjust the definition of sensitive university data in alignment with Institutional Data Stewardship Policy (SPG 601.12) and the university data classification levels.
Later in the year, we are queuing up reviews and revisions of Vulnerability Management (DS-21) and Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12).
To stay up to date on recent and upcoming IT policy and standard revisions, visit the Information Technology Policies Under Review page on the VPIT-CIO website.