Information Security and Privacy Protocols
All IT staff adhere to SPG 601.11: Privacy and the Need to Monitor and Access Records, SPG 601.07: Responsible Use of Information Resources, and all relevant IT policies when accessing and handling U-M data. The protocols below explain how these policies are applied to IT operations when staff must take immediate steps to protect the security and integrity of the U-M network and systems. These protocols build upon the responsibilities outlined in the University of Michigan Statement on Stewardship of Information and Technology Resources.
We block access to websites only when they contain phishing or malware. We never block websites based on content. Refer to Malicious Website Blocking for more information.
Locking User Accounts
We lock non-privileged end user accounts without prior notice only when there is clear evidence that an unauthorized party is using them. Refer to Compromised Accounts for more information. Please note that third party providers (such as Google, etc.) may lock U-M related accounts according to their terms of service without necessarily informing U-M staff.
Removing Systems from the U-M Network
We remove systems from the network without prior notice only when we have clear evidence that they are compromised and they maintain or access sensitive information, or they are being used to attack other systems.
We block the delivery of emails only when they exhibit inappropriate behavior by the sending host, such as false sender information, invalid UMICH addresses, or evidence of phishing and malware. We do not block email based on content. U-M and our email service providers have tools in place to prevent spam and phishing, and these tools can at times block delivery of emails based on industry standard protocols. Refer to How U-M Reduces Malicious Email for You and ITS Postmaster for more information.
U-M IT systems routinely collect log data to evaluate and improve system performance, as well as to identify and halt unauthorized access to systems and data, and other malicious activity. Access to log data is granted only to those who need it for their U-M work. Refer to Endpoint Protection: Data Collection, Sensitive Data, and Privacy for more information.
The university must, at times, access records and systems under employee control. This is done only in accordance with SPG 601.11: Privacy and the Need to Monitor and Access Records. For more information on required authorizations and approvals, see the ITS IA Standard Investigatory Support Process (U-M login required).
Contact ITS Information Assurance (IA) through the ITS Service Center if you have any questions or concerns about transparency, privacy, and related IT practices at U-M.