Laws and Regulations
Information Security Laws and Regulations require the university to apply certain security safeguards around sensitive institutional data at specific data classification levels. Industry standards, such as those that apply to credit card payments, create additional requirements.
Policies and Standards
University policies support institutional compliance with laws, regulations, and industry standards. They are housed in the U-M Standard Practice Guide (SPG) and go through an extensive and lengthy review process. Final approval for new policies and revisions to existing ones rests with the university's executive officers.
IT standards provide more detailed guidance for implementing university policies. They are generally associated with and support a specific policy. They fall into two categories: data security (DS) and data management (DM). Final approval for IT standards rests with the university vice president for information technology and chief information officer. These are typically updated more frequently than are university policies.
Responsible use policies stipulate the principles, rules, standards of conduct, and practices that members of the university community agree to comply with as a condition of being provided access to U-M information networks and resources.
- Responsible Use of Information Resources (SPG 601.07)
- Electronic Access to Potentially Offensive Materials (SPG 601.16)
The U-M Statement on Stewardship outlines the fundamental responsibilities of every member of the university community in their functioning as a steward of university resources, including information resources.
Information security policies and standards deal with how the university protects its information technology assets and institutional sensitive data while complying with all relevant laws and regulations.
- Information Security (SPG 601.27)
- Access, Authorization, and Authentication Management (DS-22)
- Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12)
- Electronic Data Disposal and Media Sanitization (DS-11).
- Safe Computing Guidance: Securely Dispose of U-M Data and Devices.
- Encryption (DS-15)
- Information Assurance Awareness, Training, and Education (DS-16)
- Safe Computing Guidance: Training, Education, and Awareness
- Information Security Risk Management (DS-13)
- Safe Computing Guidance: Information Security Risk Management
- Network Security (DS-14)
- Physical Security (DS-17)
- Secure Coding and Application Security (DS-18)
- Safe Computing Guidance: Secure Coding & Application Security
- Security of Enterprise Application Integration (DS-09)
- Security Log Collection, Analysis, and Retention (DS-19)
- Safe Computing Guidance: Security Log Management
- Third Party Vendor Security and Compliance (DS-20)
- Safe Computing Guidance: Third Party Vendor Security & Compliance
- Vulnerability Management (DS-21)
- Safe Computing Guidance: Vulnerability Management
- Information Security Incident Reporting (SPG 601.25)
- To report a security breach, see Report an IT Security Incident
- Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33)
Privacy policies and standards express the university’s commitment to maintain the privacy and confidentiality of personal information given to it, whether from students, faculty, staff, patients, customers, alumni, donors, or visitors. These policies state the conditions under which U-M maintains, stores, or discloses personal information and complies with privacy laws and regulations.
- Regents Bylaw 14.07, Privacy and Access to Information
- Privacy and the Need to Monitor and Access Records (SPG 601.11)
- Identity Misrepresentation (SPG 601.19)
Data management policies and standards reflect the current data governance structure at U-M. are concerned with the end-to-end lifecycle of all institutional data, and most importantly support the access by appropriate and authorized members of the university community to trustworthy and reliable institutional data when and where it is needed.
- Institutional Data Resource Management Policy (SPG 601.12)
Information Technology System Standards
System standards help ensure that the university is consistently applying technical processes and protocols that reflect current industry best practices. System standards carry the weight of policy and are housed in the U-M Standard Practice Guide (SPG).
Other U-M Policies with IT-Related Provisions
- Acquisition, Use and Disposition of Property (Exclusive of Real Property) (SPG 520.01)
- Identification and Access Control Cards/Identification Photos (SPG 601.13)
- Procurement General Policies and Practices (SPG 507.01)
- Proper Use of Security Cameras (SPG 606.01)
- Software Procurement and Licensing Compliance (SPG 601.03-3)
- Tech Tools: Cell Phones and Portable Electronic Resources (SPG 514.04)