Information Security Laws and Regulations require the university to apply certain security safeguards around institutional data. Industry standards, such as those that apply to credit card payments, create additional requirements.
University policies support institutional compliance with relevant laws, regulations, and industry standards. They are housed in an official repository maintained to guide and direct the university community.
Responsible Use Policies
Responsible use policies stipulate the principles, rules, standards of conduct, and practices that members of the university community agree to comply with as a condition of being provided access to U-M information networks and resources.
- Responsible Use of Information Resources (SPG 601.07)
- Electronic Access to Potentially Offensive Materials (SPG 601.16)
The U-M Statement on Stewardship outlines the fundamental responsibilities of every member of the university community in their functioning as a steward of university resources, including information resources.
Information Security Policies
Information security policies deal with how the university protects its information technology assets and institutional sensitive data while complying with all relevant laws and regulations.
- Information Security (SPG 601.27)
- Information Security Incident Reporting (SPG 601.25)
- Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33)
To report a security breach, see Report an IT Security Incident.
Privacy Policies
Privacy policies express the university’s commitment to maintain the privacy and confidentiality of personal information belonging to any member of the U-M community: students, faculty, staff, patients, customers, alumni, donors, and visitors. These policies state the conditions under which U-M maintains, stores, or discloses personal information and complies with privacy laws and regulations.
- Regents Bylaw 14.07, Privacy and Access to Information
- Privacy and the Need to Monitor and Access Records (SPG 601.11)
- Identity Misrepresentation (SPG 601.19)
Data Management Policies
Data management policies reflect the current data governance structure at U-M. They are concerned with the end-to-end lifecycle of all institutional data, and most importantly support the access by appropriate and authorized members of the university community to trustworthy and reliable institutional data when and where it is needed.
- Institutional Data Resource Management Policy (SPG 601.12)
- HIPAA Code of Conduct and Confidentiality Agreement
Information Technology Systems Policies
IT systems policies help ensure that the university is consistently applying technical processes and protocols that reflect industry best practices.
IT Standards
IT standards provide more detailed guidance for implementing university policies. They are generally associated with and support a specific policy. They fall into two categories: data security (DS) and data management (DM). Final approval for IT standards rests with the university vice president for information technology and chief information officer.