Information security policy revised and approved

The revised U-M Information Security Policy was recently approved, along with a number of new information technology standards, and will be phased in over the next two years.

The policy — SPG 601.27 in the university’s Standard Practice Guide — and accompanying standards represent the most comprehensive revision of the institution’s information security policy since its inception over a decade ago.

SPG 601.27 and the standards are based on a cybersecurity risk management framework that incorporates best practices for protecting U-M’s critical IT infrastructure and data assets.

The implementation of the policy and standards will take some time given the more detailed nature of the standards. Implementation will be phased in over two years, with an anticipated compliance date of Dec. 31, 2020.  

Policy revisions include broader institutional information security responsibility, more limited discretionary risk acceptance at the unit and clinic level, expanded and more specific guidance for units and clinics, and a new four-level data classification scheme to define sensitivity of institutional data.

“Information security, particularly for a highly distributed and collaborative environment like our institution, is an evolving paradigm. The revised Information Security policy strives to balance appropriately securing the institution while supporting open collaboration and innovation in research, teaching, learning and clinical care,” said Ravi Pendse, vice president for information technology and chief information officer.

“It also acknowledges that everyone — faculty, staff and students — shares the responsibility for information security. We are all in this together.”

Meetings are being set up with university stakeholders, IT governance groups, and others to outline the implementation planning process. Meanwhile, Michigan Medicine’s security liaison and others across the university are being asked to facilitate, coordinate and communicate implementation planning.

“Information security is a shared responsibility. People, process and technology must work in coordination to ensure a secure environment,” said Jack Kufahl, Michigan Medicine’s chief information security officer. “This new SPG establishes the expectation that we all do our part to protect U-M’s information assets.”

Initial opportunities and resources for getting everyone off to a good start include regularly updated guidance on the Safe Computing website, working sessions with HITS staff and other IT staff on the various campuses, and availability of existing IT services that are already aligned or working toward alignment with policy and standards requirements.  

Ongoing feedback will be a critical component of the implementation process.

Michigan Medicine community members are encouraged to send their thoughts and ideas to info-assurance@umich.edu.

Website: http://spg.umich.edu/policy/601.27