Information Security (SPG 601.27), which was revised in 2018, and its supporting standards strive to strike a balance between appropriately securing the university and enabling its teaching, research, clinical, and administrative missions.
- U-M’s approach to information security is risk-based.
- Units partner with Information Assurance (IA) to understand their risk.
- Units implement information security controls and practices to mitigate risks for unit-specific systems and applications under their direct or primary control.
Keep these key points in mind as you work to align your unit's IT security practices with the policy and standards:
- Information security is a shared responsibility. To protect both institutional and personal data and systems, U-M IT service providers, unit IT staff, and individual faculty, staff, and researchers all must do their part.
- There is no such thing as 100% security; incremental improvement is still improvement. Good IT security practices are always a work-in-progress marked by continuous, incremental, and iterative improvement.
- Prioritize opportunities for improvement. You cannot do everything at once. Think about what is most important for your unit as a whole, balancing the differing needs and expectations or your stakeholders and decide what to work on first. Develop an action plan, implement it, and measure unit progress.
- Phased Approach (Fall 2018–December 2020).
- Allows for additional work on security services and infrastructure at both unit and institutional levels.
- Allows for identifying and resolving unforeseen issues and planning to mitigate gaps.
- Units encouraged to conduct self-assessment and inform senior leadership of progress .
Support from Information Assurance
IA meets regularly with unit IT staff, university stakeholders, IT governance groups, and others to:
- Update the U-M community about new and revised policies and standards and to seek related feedback.
- Support units and departments in their efforts to align with the requirements of the policies and standards. IA subject matter experts are available to work with units on aligning with specific standards.
IA provides these resources:
- Unit Self-Assessment of Progress. Units are encouraged to conduct a voluntary self-assessment of their progress toward alignment with the Minimum Information Security Requirements encompassed in the standards that support Information Security (SPG 601.27). IA is available to support units in their self-assessment but will not directly carry out any assessments. Units are not expected to submit their self-assessments to IA.
- Materials from Standards Working Sessions. IA held informational sessions for unit IT staff and others throughout 2019 to discuss in-depth each standard and provide an opportunity to ask questions of IA subject matter experts. Materials (slides, recordings, Q&A reports) are at SPG 601.27 Alignment Presentations.
- Guidance and Documentation on Safe Computing. Detailed guidance, documentation, and tools to support implementation and alignment with the policy and standards are available at Protect Your Unit’s IT.
- Unit-Specific Alignment Planning Meetings. Units and departments can schedule individual meetings with IA subject matter experts by sending email to firstname.lastname@example.org.
- Alignment Using U-M IT Service Provider Services. Units may find it easier and more efficient to use services provided by U-M IT service providers (ITS, HITS, UM-Dearborn ITS, UM-Flint ITS) that are already aligned to specified requirements and standards. See the Sensitive Data Guide to IT Services.
- Communities of Practice. IA has set up joinable MCommunity groups to serve as communities of practice where you can access the collective wisdom and expertise of your U-M colleagues, including IA subject matter experts. See Communities of Practice for Information Security Standards.
SULs are Facilitating
IA has asked each unit’s Security Unit Liaison (SUL) to facilitate and coordinate their unit’s alignment planning. Specific objectives of this work include:
- Reviewing the policy and standards with appropriate unit employees to understand how they specifically apply in their unit environment. For example, many requirements apply only to sensitive institutional data classified as High or Restricted.
- Planning how to meet the minimum information security requirements applicable to unit information systems and applications.
- Educating unit faculty and staff about information security policies, standards, and their shared responsibility.
- Soliciting and incorporating input from unit IT staff, administrative and business system administrators, faculty, and researchers.
- Collaborating to identify potential resource needs or constraints.
- Determining how best to apprise unit leadership of progress and identified gaps in alignment.