General Information Technology Policies

Learn More About U-M Compliance

Information Security Laws and Regulations require the university to apply certain security safeguards around institutional data. Industry standards, such as those that apply to credit card payments, create additional requirements.

University policies support institutional compliance with relevant laws, regulations, and industry standards. They are housed in an official repository maintained to guide and direct the university community.

Responsible Use Policies

Responsible use policies stipulate the principles, rules, standards of conduct, and practices that members of the university community agree to comply with as a condition of being provided access to U-M information networks and resources.

The U-M Statement on Stewardship outlines the fundamental responsibilities of every member of the university community in their functioning as a steward of university resources, including information resources.

Information Security Policies

Information security policies deal with how the university protects its information technology assets and institutional sensitive data while complying with all relevant laws and regulations.

To report a security breach, see Report an IT Security Incident.

Privacy Policies

Privacy policies express the university’s commitment to maintain the privacy and confidentiality of personal information belonging to any member of the U-M community: students, faculty, staff, patients, customers, alumni, donors, and visitors. These policies state the conditions under which U-M maintains, stores, or discloses personal information and complies with privacy laws and regulations.

Data Management Policies

Data management policies reflect the current data governance structure at U-M. They are concerned with the end-to-end lifecycle of all institutional data, and most importantly support the access by appropriate and authorized members of the university community to trustworthy and reliable institutional data when and where it is needed.

Information Technology Systems Policies

IT systems policies help ensure that the university is consistently applying technical processes and protocols that reflect industry best practices.

IT Standards

IT standards provide more detailed guidance for implementing university policies. They are generally associated with and support a specific policy. They fall into two categories: data security (DS) and data management (DM). Final approval for IT standards rests with the university vice president for information technology and chief information officer.


IT Standard Related University Policy Guidance

Sensitive Regulated Data: Permitted and Restricted Uses (DS-06)

Responsible Use of Information Resources (SPG 601.07)

Institutional Data Resource Management Policy (SPG 601.12)

 

Unit-Specific Requirements for Employee Self-Management of Personally Owned Devices that Access Sensitive Institutional Data (DS-07)

Information Security (SPG 601.27) Sensitive U-M Data on Personal Devices

Security of Enterprise Application Integration (DS-09)

Information Security (SPG 601.27) Access, Authorization, and Authentication

Social Security Number Privacy and Protection (DS-10)

Privacy and the Need to Monitor and Access Records (SPG 601.11) Sensitive Data Guide

Electronic Data Disposal and Media Sanitization (DS-11)

Information Security (SPG 601.27) Securely Dispose of U-M Data and Devices

Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12)

Information Security (SPG 601.27)

Disaster Recovery Management

Back Up U-M Data

Information Security Risk Management (DS-13)

Information Security (SPG 601.27) Information Security Risk Management

Network Security (DS-14)

Information Security (SPG 601.27) Network Security Management

Encryption (DS-15)

Information Security (SPG 601.27) Encryption

Information Assurance Awareness, Training, and Education (DS-16)

Information Security (SPG 601.27) Training, Education, and Awareness

Physical Security (DS-17)

Information Security (SPG 601.27) Physical Security

Secure Coding and Application Security (DS-18)

Information Security (SPG 601.27) Secure Coding & Application Security

Security Log Collection, Analysis, and Retention (DS-19)

Information Security (SPG 601.27) Security Log Management

Third Party Vendor Security and Compliance (DS-20)

Information Security (SPG 601.27) Third Party Vendor Security & Compliance

Vulnerability Management (DS-21)

Information Security (SPG 601.27) Vulnerability Management

Access, Authorization, and Authentication Management (DS-22)

Information Security (SPG 601.27) Access, Authorization, and Authentication

eDiscovery at the University of Michigan (DM-08)

Institutional Data Resource Management Policy (SPG 601.12)  

 

Other U-M Policies with IT-Related Provisions