Information Assurance Operational Transparency

The University of Michigan is committed to maintaining an appropriately secure IT environment that enables its teaching, research, clinical, and administrative missions and protects the privacy of its students, faculty, and staff. The purpose of this page is to describe some of the methods and protocols established to deliver on that commitment.

Information Security and Privacy Protocols

All IT staff adhere to SPG 601.11: Privacy and the Need to Monitor and Access Records, SPG 601.07: Responsible Use of Information Resources, and all relevant IT policies when accessing and handling U-M data. The protocols below explain how these policies are applied to IT operations when staff must take immediate steps to protect the security and integrity of the U-M network and systems. These protocols build upon the responsibilities outlined in the University of Michigan Statement on Stewardship of Information and Technology Resources.

  • Blocking Websites
    We block access to websites only when they contain phishing or malware. We never block websites based on content. Refer to Malicious Website Blocking for more information.
  • Blocking Email
    We block the delivery of emails only when they exhibit inappropriate behavior by the sending host, such as false sender information, invalid UMICH addresses, or evidence of phishing and malware. We do not block email based on content. U-M and our email service providers have tools in place to prevent spam and phishing, and these tools can at times block delivery of emails based on industry standard protocols. Refer to How U-M Reduces Malicious Email for You and ITS Postmaster for more information.
  • Retracting Delivered Email
    In rare cases, we may retract already-delivered email messages when they present an active security threat, per SPG 601.25: Information Security Incident Reporting, as well as under exigent circumstances to prevent imminent harm to life or safety. We may also retract messages that pose a significant compliance risk to the university, such as messages containing “Restricted” or “High” sensitive data that have been delivered in error. Email retraction requires the explicit approval of the university Chief Information Security Officer, and retraction events are documented with the U-M Privacy Office.
  • Locking User Accounts
    We lock non-privileged end user accounts without prior notice only when there is clear evidence that an unauthorized party is using them. Refer to Compromised Accounts for more information. Please note that third party providers (such as Google, etc.) may lock U-M related accounts according to their terms of service without necessarily informing U-M staff.
  • Removing Systems from the U-M Network
    We remove systems from the network without prior notice only when we have clear evidence that they are compromised and they maintain or access sensitive information, or they are being used to attack other systems.
  • Accessing Logs
    U-M IT systems routinely collect log data to evaluate and improve system performance, as well as to identify and halt unauthorized access to systems and data, and other malicious activity. Access to log data is granted only to those who need it for their U-M work. Refer to Endpoint Protection, Data Collection, Sensitive Data, and Privacy for more information.
  • Accessing Records
    The university must, at times, access records and systems under employee control. This is done only in accordance with SPG 601.11: Privacy and the Need to Monitor and Access Records. For more information on required authorizations and approvals, see the ITS IA Standard Investigatory Support Process (U-M login required) and ITS IA Academic Integrity Support Principles (U-M login required).

Contact ITS Information Assurance (IA) through the ITS Service Center if you have any questions or concerns about transparency, privacy, and related IT practices at U-M.