Take home message: Our IT security infrastructure is an essential tool for facilitating compliance with all U-M’s information related obligations. It is critical that everyone understands and complies with all of U-M’s IT policies, especially the SPG on Information Security, and any recommendations or directives related to IT security issued at their local level; because compliance with privacy, access, copyright, preservation and other information management laws is predicated on compliance with our internal IT security protocols.
- The Standard Practice Guide on Information Security (SPG 601.27) sets out U-M’s strategies and responsibilities for protecting the confidentiality, integrity and availability of information assets within the University environment. U-M’s efforts in IT security are coordinated through the IT Security Program (requires login).
- The Office of Information and Infrastructure Assurance (IIA), a part of Information and Technology Services, lead our university-wide efforts in the areas of information security, privacy, IT policy and enterprise continuity, in partnership with all U-M campuses and the Health System. The University IIA Council develops IT policies and has primary responsibility for ensuring that U-M’s policies and practices provide effective safeguards for securing our information and data.
- The Sensitive Data Guide will help you make informed decisions about where to safely store and share sensitive data. Guidance provided on the Sensitive Data Guide applies only to those on the U-M Ann Arbor campus.
- IT security is one of the major means through which U-M ensures compliance with all its obligations related to its digitally stored information. For example, our IT infrastructure and security systems operationally facilitate and support U-M’s compliance with privacy laws (like HIPAA and FERPA), identity theft and social security number protection, copyright laws, access laws like FOIA, and preservation laws.
- A summary of the laws that require security measures to be applied around various categories of information is maintained by Information and Infrastructure Assurance in their Security Compliance Overview (requires login), which includes a compliance table, listing the major laws and responsible contacts, and examples of what constitutes sensitive data.
- Any IT security incident or breach must be dealt with in accordance with the Standard Practice Guide on Information Security Incident Reporting (SPG 601.25). To report a breach of IT security or other IT security incident, follow the reporting process set out on the Safe Computing site, which includes information for the first 10 minutes and first 24 hours. The types of incidents that you should report include: unauthorized exposure of private personal information (which may lead to identity theft or misrepresentation); computer break-ins and other unauthorized use of U-M systems or data; unauthorized changes to computers or software; and equipment theft or loss.
- Each U-M unit also has its own information security plan. You should become aware of your local area’s plan and ensure you follow it. Any questions can be directed to your unit liaison, who can be identified using this Security Unit Liaison list (requires login). The Security Unit Liaisons are supported by a wider U-M security community, with members from units across all of U-M’s campuses.
- IT security begins with you! If you have a weak password, leave your computer unlocked and unattended, store private or confidential data in a non-encrypted or non-protected way, or fail to back up important information, then you are making yourself and U-M vulnerable to security breaches and to the compromise of important and sensitive information. It doesn’t take much effort for each of us to make good security practices a part of our routine.
- IT security breaches put U-M’s information – and, by extension, our entire operation – at risk; and exposes U-M to legal compliance breaches, particularly relating to privacy and confidentiality. A breach of IT security could be as simple as accidentally sending an email attachment to the wrong person, or as serious as having your laptop stolen in an airport, or discovering an unauthorized person is accessing or tampering with U-M’s systems. Regardless of how serious an incident is, it should be reported.
- If a breach of IT security happens, you may not have time to review protocols before you need to take action – so it’s a good idea to familiarize yourself with the reporting process, and be familiar with who your Security Unit Liaison is. That way, you can act fast and with confidence if confronted with a real incident.
- Mobile devices, like laptops and USB drives, are convenient ways to capture and store data, but are also particularly vulnerable to security breaches – with consequences as severe as seeing your sensitive research data in the newspaper. Encryption is one way to improve the security of these devices, which ITS can help you with.
For advice about IT security, or to discuss issues or concerns relating to IT security, contact your local Security Unit Liaison in the first instance, or another member of the U-M Security Community in your unit.
You can also contact Information & Infrastructure Assurance (IIA), within ITS, for advice on IT security, policy or privacy issues, by using their contact us page or calling the ITS help desk on (734) 764-4357 (4-HELP).
If you are wanting to report an IT security incident, see the Incident Reporting Process for details, unless the incident poses immediate danger, in which case you should call 911.
For legal advice relating to IT security, contact Jack Bernard in the Office of the General Counsel. However, you should usually talk first to your Security Liaison or IIA even if it is a legal issue, as they are best placed to help you resolve any questions or problems you have.
Established 3/4/11, last updated 3/7/17 – Contact us if you believe any information is incorrect or outdated