The revised University of Michigan Information Security Policy was recently approved, along with a number of new Information Technology Standards, and will be phased in over the next two years.
The policy — SPG 601.27 in the university’s Standard Practice Guide — and accompanying standards represent the most comprehensive revision of the institution’s information security policy since its inception over a decade ago.
SPG 601.27: Then and Now
• IT security not viewed as significant U-M priority
• Established a decentralized IT security program that often differed by unit
• Few specific IT standards and requirements
• Inconsistent, ad-hoc and uncoordinated compliance
• Unilateral acceptance of risk by units
• IT security acknowledged as a leading risk at U-M
• IA team has broader institutional responsibilities and operations
• Specific IT standards with expanded guidance for units
• Institutional support and oversight directed at compliance
• More limited discretionary risk acceptance at the unit level
SPG 601.27 and the standards are based on a cybersecurity risk management framework that incorporates best practices for protecting U-M’s critical IT infrastructure and data assets.
Information and Technology Services’ Information Assurance office (IA) recognizes that implementing the policy and standards will take some time given the more detailed nature of the standards. Implementation will be phased in over two years, with an anticipated compliance date of Dec. 31, 2020.
Policy revisions include broader institutional information security responsibility led by IA, more limited discretionary risk acceptance at the unit level, expanded and more specific guidance for units, and a new four-level data classification scheme to define sensitivity of institutional data.
“Information security, particularly for a highly distributed and collaborative environment like our institution, is an evolving paradigm,” said Ravi Pendse, vice president for information technology and chief information officer. “The revised Information Security policy strives to balance appropriately securing the institution while supporting open collaboration and innovation in research, teaching, learning, and clinical care.
“It also acknowledges that everyone — faculty, staff, and students — shares the responsibility for information security. We are all in this together.”
IA staff members are meeting with university stakeholders, IT governance groups and others to outline the implementation planning process. Meanwhile, each unit’s security liaison is being asked to facilitate, coordinate, and communicate implementation planning.
“The Information Assurance team will work with and support all U-M campuses and Michigan Medicine as we work toward implementation,” said Sol Bermann, chief privacy officer and interim chief information security officer.
“Information security is a shared responsibility. The IA team looks forward to working with units across the university to support implementation, interpreting the policy and standards, and receiving feedback along the way.”
Initial opportunities and resources for getting units off to a good start include regularly updated guidance on the Safe Computing website, working sessions with unit IT staff, unit-specific implementation planning meetings, and availability of existing ITS services that are already aligned or working toward alignment with policy and standards requirements.
Ongoing feedback will be a critical component of the implementation process. University community members are encouraged to send their thoughts and ideas to firstname.lastname@example.org.