Regarded by administration officials as a significant milestone in U-M’s security history, the University is implementing a comprehensive information security policy in the Standard Practice Guide (SPG).
Information Security Policy SPG 601.27 went into effect Jan. 2.
|
The SPG informs all schools, colleges, departments and central offices on the Ann Arbor, Flint and Dearborn campuses of strategies and guidelines for protecting all forms of information, says Paul Howell, chief information technology (IT) security officer.
“This policy recognizes the University’s investment in IT, which will result in more efficient operations,” Howell says. “The artfulness is that we avoided a one-size-fits-all approach where all information is equally protected. The University needs to implement appropriate security measures that are based on the sensitivity and criticality of the information.”
To help protect from outside threats, such as identity theft and malicious destruction of data, the University developed better attack tools and more secure systems. Per the new SPG, “each University unit will implement security safeguards that are appropriate to information asset sensitivity, criticality and the level of risk identified in the risk assessment process.”
The new policy also is needed to comply with federal, state and local laws that require the implementation of information security safeguards.
The SPG encourages a communitywide security effort, stating, “Members of the University community have individual and shared responsibilities to protect the information assets of the University.”
While the SPG applies to the approximately 80,000 computers at the three U-M campuses, it also covers other forms of information including data stored on paper and any other media, says Esther Friedmann, policy and compliance program manager.
“This is designed to preserve ownership,” Howell says. “When sensitive information is potentially disclosed, it hurts the reputation of the University.”
Educating the campus community about the new policy is a shared responsibility, says Maria Sheler-Edwards, communications specialist for IT Security Services. Units have identified unit level security liaisons to coordinate their security activities and educate their communities on the implications of implementing the new SPG.
“This is a practical application of the SPG,” Sheler-Edwards says. “Employees should go to the security unit liaison to address security questions and issues specific to their unit.”
