Aligning with Information Security (SPG 601.27) and Supporting Standards

Information Security (SPG 601.27), and its supporting standards strive to strike a balance between appropriately securing the university and enabling its teaching, research, clinical, and administrative missions.

  • U-M’s approach to information security is risk-based.
  • Units partner with Information Assurance (IA) to understand their risk.
  • Units implement information security controls and practices to mitigate risks for unit-specific systems and applications under their direct or primary control.  

Keep these key points in mind as you work to continually align your unit's IT security practices with the policy and standards:

  • Information security is a shared responsibility. To protect both institutional and personal data and systems, U-M IT service providers, unit IT staff, and individual faculty, staff, and researchers all must do their part.  
  • There is no such thing as 100% security; incremental improvement is still improvement. Good IT security practices are always a work-in-progress marked by continuous, incremental, and iterative improvement.
  • Prioritize opportunities for improvement. You cannot do everything at once. Think about what is most important for your unit as a whole, balancing the differing needs and expectations or your stakeholders and decide what to work on first. Develop an action plan, implement it, and measure unit progress.

Support from Information Assurance

IA meets regularly with unit IT staff, university stakeholders, IT governance groups, and others to:

  • Update the U-M community about new and revised policies and standards and to seek related feedback.
  • Support units and departments in their efforts to align with the requirements of the policies and standards. IA subject matter experts are available to work with units on aligning with specific standards.

IA provides these resources:

  • Guidance and Documentation on Safe Computing. Detailed guidance, documentation, and tools to support implementation and alignment with the policy and standards are available at Protect Your Unit’s IT.
  • Unit-Specific Alignment Meetings. Units and departments can schedule individual meetings with IA subject matter experts by sending email to [email protected].
  • Alignment Using U-M IT Service Provider Services. Units may find it easier and more efficient to use services provided by U-M IT service providers (ITS, HITS, UM-Dearborn ITS, UM-Flint ITS) that are already aligned to specified requirements and standards. See the Sensitive Data Guide to IT Services.

SULs as Facilitators

IA  asks each unit’s Security Unit Liaison (SUL) to facilitate and coordinate their unit’s alignment. Specific objectives of this work include:

  • Reviewing the policy and standards with appropriate unit employees to understand how they specifically apply in their unit environment. For example, many requirements apply only to sensitive institutional data classified as High or Restricted.
  • Planning how to meet the minimum information security requirements applicable to unit information systems and applications.
  • Educating unit faculty and staff about information security policies, standards, and their shared responsibility.
  • Soliciting and incorporating input from unit IT staff, administrative and business system administrators, faculty, and researchers.
  • Collaborating to identify potential resource needs or constraints.
  • Determining how best to apprise unit leadership of progress and identified gaps in alignment.