August 15, 2016
Topic: Information Technology
U-M executive officers recently approved changes to several IT policies in the Standard Practice Guide. The goal of these updates is to make certain existing policies and corresponding standards and guidelines reflect the current use of IT by faculty, staff, students, third-party vendors, contractors and others who have access to institutional data and information.
Proposed revisions were benchmarked against multiple universities, including all Big Ten schools and various other peer institutions. Faculty and staff representatives provided input to the changes.
The following is a list of IT policies that were reviewed or changed in July 2016 (except as noted):
Procurement General Policies and Procedures (SPG 507.01), (changed January 2015)
• Added new IT Security and Privacy section to help ensure service-provider compliance with governmental regulations and the U-M information security program.
Responsible Use of Information Resources (SPG 601.07), (formerly Proper Use of Information Resources, Information Technology, and Networks at the University of Michigan)
• Focuses on good digital citizenship for members of the U-M community, including students, alumni with uniqnames, affiliates and contractors.
• Applies to use of any U-M information resources regardless of the type of device or platform.
• Specifies the acceptable uses of IT resources for personal purposes.
• Allows units to implement supplemental unit-specific guidelines in addition to the baseline policy.
Social Security Number Privacy (SPG 601.14)
• Now the Social Security Number Privacy and Protection IT Standard (DS-10), rather than an SPG.
• Includes specific and mandatory requirements beyond the original policy, which limited the use and storage of Social Security numbers.
Electronic Access to Potentially Offensive Materials (SPG 601.16)
• Reviewed for the first time in over 10 years.
• Content remains the same.
Information Security Incident Reporting (SPG 601.25)
• Establishes a new set of key policy principles guiding incident management.
• Defines the role and responsibility of third-party vendors and contractors in incident reporting.
• Adds new requirement to report payment card industry breaches.
• Requires the obligatory reporting of accidental disclosure of sensitive institutional data.
The following SPGs have been retired and removed from the SPG catalog because they reflected discontinued or out-of-date protocols or practices:
• Personal Long Distance Phone Calls (SPG 512.02)
• Telephones in Private Residences (SPG 512.03), replaced by Tech Tools: Cell Phones and Portable Electronic Resources (SPG 514.04)
• Ownership and Use of Computer Software (SPG 601.03)
The IT policies listed below are in the review or development phase in accordance with the IT Policy Development and Administration Framework. Members of the university community are welcome to provide feedback.
• Institutional Data Resource Management Policy (SPG 601.12)
• Domain Name System Standards at the University of Michigan (SPG 601.15-1)
• Information Security Policy (SPG 601.27)
Steps are underway to regularly apprise the campus community about new policies and programs, including the addition of a new IT category in the SPG catalog.
More information about IT policies can be found on the Office of the CIO website.