SPG 601.27 and Supporting Standards Alignment FAQ

What are the primary objectives Information Assurance (IA) hopes to achieve with the revised Information Security (SPG 601.27) policy and supporting standards?

  • Reflect commitment to a university culture that information security is a shared responsibility
  • Provide standardized guidance identifying appropriate security controls for systems and applications
  • Support U-M compliance with federal and state regulatory regimes that require specific information security policies and documentation of security practices
  • Provide an authoritative response to the question: Where does it say I have to do this?

When do all units need to be in compliance with Information Security (SPG 601.27) and the 13 supporting standards?

There is no 100% security because there are always new threats to deal with and the
cybersecurity environment is constantly evolving and shifting. The objective for units is
continuous improvement in meeting the minimum information security requirements for each
standard; incremental improvement is still improvement. Units should prioritize opportunities
for improvement since it’s not possible to do everything at once; there are always resource and
time limitations. U-M’s approach to information security is risk-based. Units should seek to
identify the greatest risks associated with unit-unique systems and applications and focus
mitigation efforts on those.

Who in my unit is responsible for making sure this happens?

IA works with each unit’s Security Unit Liaison, who is expected to serve as the facilitator and coordinator for their unit’s implementation planning.  Specific objectives for this role include:

  • Review the policy and standards to understand how they will apply to their unit (for example, many requirements in the standards only apply to sensitive institutional data classified as High or Restricted).
  • Plan how to meet the minimum security requirements applicable to unit information systems and applications.
  • Solicit and incorporate input of unit IT staff, administrative and business system administrators, faculty, and/or researchers.
  • Collaborate to identify potential resource needs or constraints.
  • Determine how to apprise unit leadership of progress.

Is IA responsible for certifying my unit as compliant with SPG 601.27 and the supporting standards?

No. IA will not carry out any certification process. Units are encouraged to conduct a voluntary
self-assessment of their progress toward alignment with the Minimum Information Security
Requirements
encompassed in the standards that support Information Security (SPG 601.27). It
is recommended that units that opt to do a self-assessment do so before December 31, 2020 so
that timeframes and strategies for addressing identified gaps can be developed. IA will be
available to support units in their self-assessment but will not directly carry any out and units
will not be expected to submit their self-assessment to IA.

Can IA visit my unit for an overview of the policy, individual standards, or to do a security “health check”?

Yes, we would be happy to. IA staff have been meeting with units and departments from all over the university and find it mutually helpful to discuss specific environments with their own set of security challenges. Unit staff may also appreciate the opportunity to meet with IA subject matter experts and get their technical or substantive questions answered. Contact info-assurance@umich.edu to set something up.

What resources are available to support unit implementation of the standards?