University of Michigan
News for Faculty and Staff

December 17, 2017

University to revise information technology security policy

August 15, 2016

University to revise information technology security policy

The University of Michigan is revising its information technology security policy to establish a single, comprehensive IT security and information assurance program for the Ann Arbor, Dearborn and Flint campuses and the Health System.

The revised policy, covered by SPG 601.27, would contain a cybersecurity risk management framework and enterprise security architecture that incorporates best practices for protecting the institution's critical IT infrastructure and data assets.

Emphasis is placed on protecting U-M's most sensitive data first, guided by a new data classification scheme and tiered security model that ultimately encompass all university data and information systems.

Proposed revisions are available on the Office of the CIO website. Comments and feedback from university community members may be submitted using an online feedback form on the website.

"Institutions like Michigan have been subject to increasingly complex and persistent cyber attacks," says Donald Welch, chief information security officer. "These attacks threaten sensitive data and systems, and jeopardize the university's ability to maintain its core missions. The revised security policy seeks to keep our campuses secure and limit the risks of successful attacks."

Welch, who has served as CISO since spring 2015, is responsible for the university's information and infrastructure assurance (IIA) program. Areas within IIA include IT security, privacy, IT policy, compliance and disaster recovery.

Before coming to U-M, Welch served as president and CEO of Merit Network, a nonprofit organization governed by Michigan's public universities that provides a research and education network for computer and related services.

He also leads several national higher education organizations, including the Michigan governor's cyber security advisory council and the FBI's cyber security advisory council.

"As the IIA team has re-examined the institution's security policies, we have been partnering with university leaders and the IT community to determine how best to protect our data and information assets," says Welch.

Faculty, staff and U-M governance groups are reviewing the proposed policy as it becomes incorporated into the Standard Practice Guide. The current version of SPG 601.27 was published in 2008 at the infancy of U-M's information security program, and no longer reflects the information security challenges facing higher education institutions.

"One of our goals is to have a robust IT security policy with supporting IT standards, guidelines and procedures," says Welch. "The new policy and program accomplish this goal, and make securing university-provided services more straightforward and readily accessible to faculty and staff."

More information and a timeframe for program implementation will be available in the coming months. Questions should be directed to iia.inform@umich.edu.