The university engages in research, teaching, clinical, and administrative activities that encompass a large variety and volume of sensitive regulated data. Supporting these institutional missions increasingly requires sharing applications and data across multiple systems.
Enterprise application integration, including APIs, remote data access between systems and other database links, connects and integrates enterprise operating systems with applications in units or projects across campus that may be based on different technologies.
The purpose of this Standard is to provide information security requirements for enterprise application integration that: a) integrate security across applications and infrastructure by implementing specific privacy and security safeguards; and b) minimize the vulnerability of enterprise systems to external attacks, unauthorized disclosure of sensitive data, or unauthorized access to administrative interfaces or system configurations.
This Standard applies to all departments, institutes, centers, and faculty, researchers, staff, students, and workforce members of the U-M, including the Health System.
Information Assurance is responsible for the maintenance and interpretation of this standard.
The following university SPGs govern this standard:
- Institutional Data Management: Institutional Data Resource Management Policy (SPG 601.12)
- Acceptable Use of U-M Computing Resources: Responsible Use of Information Resources (SPG 601.07)
- Information Security (SPG 601.27)
- Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33)
A shared account is an enterprise system account with access independent of any individual’s computing account. Some enterprise APIs that allow for access to U-M enterprise data systems with sensitive data require a shared account with elevated access. Shared accounts allow for multiple members of a team to authenticate to the API directory using the same credentials to log on. The information security provisions of this Standard are designed to reduce the risk of threats to institutional data from misuse of shared enterprise accounts including credentials theft; inappropriate disclosure of sensitive data; data tampering, and unauthorized access to administrative interfaces and configuration stores, among others.
Identification of Business Need
Owners of shared accounts must identify a specific business need or application when submitting an integration request. This is especially critical if the request will result in sensitive institutional or regulated data being accessed or stored. The request should also specify a time period up to one year for which access is needed. Data accessed as a result of approval of this request can only be used for the limited and specific purpose described in the request. A separate request must be submitted and approved for any other use of the data or application.
There should be a designated owner and co-owner identified for each integration request. The owners are jointly accountable for the security of the data, system, or application to which they have been provided access. The owners may delegate specific functions to authorized users, but not their accountability. The default practice should be that only owners are granted administrator privileges. Owners can allow exceptions for other authorized users with a work-related need for administrator privileges.
Owners are specifically responsible for:
- Maintaining the security of any account credentials issued that provide remote data access or APIs to enterprise applications or systems;
- Maintaining the privacy of personally identifiable data;
- Providing end-user information security guidance to all users granted authorized account credentials
- Ensuring that technical security controls are appropriately prioritized;
- Managing and minimizing workstation security vulnerabilities by ensuring that all workstations are encrypted and up-to-date with anti-virus software and security patches;
- Only transmitting sensitive data encrypted and via a secured connection
Systems, databases, applications, and APIs that access or accept transferred sensitive data through enterprise application integration must handle and store sensitive regulated data in compliance with Information Security (SPG 601.27).
Other U-M Compliance Requirements
Some requests for enterprise application integration may be part of a research project that must meet other institutional compliance requirements, including institutional review boards. It is the responsibility of the researcher to satisfactorily meet all compliance requirements.
Institutional Data Access and Compliance Agreement
In addition, all U-M users provided the credentials for access to a system, application, or API must have previously attested to the University of Michigan Institutional Data Access and Compliance Agreement. All its terms and conditions continue to apply with respect to data or systems accessed as a result of the approval of this request.
Access and Authentication Controls
Only staff members authorized by the owners should be granted the credentials that permit access to the API, application, or enterprise system covered by this request. Access should be granted with the least privilege to authorized users to perform the tasks that they are authorized to perform and only for the duration required to complete them. Authentication must use MCommunity as source of user credentials.
Authoritative Data Source
Data are maintained and updated at the authoritative source in respective U-M enterprise administrative systems. Data obtained through APIs can be stored or cached but every effort should be made to use fresh data recently fetched from the API.
To maintain the security and privacy of the data or systems, it is the responsibility of the owners to remove collaborators when they no longer need access to files or folders. This is particularly important when staff members or U-M affiliates leave their position and no longer have responsibilities that require access to the files.
Deactivating, suspending, or terminating access or administrator privileges should occur promptly after notification that a staff member or U-M affiliate has left his or her position or no longer has a work-related need for access.
Renewal of Requests
All approved requests will expire one year after approval is granted and must be renewed if still needed. Credentials that are not renewed by the expiration date will expire and access will be terminated.
Reporting IT Security Incidents
All staff must report any serious information security incidents, and specifically any resulting from this enterprise application middleware request, to the ITS Service Center within 24 hours of becoming aware of the incident. More specifics on incident reporting are provided at Report an IT Security Incident.
Violations and Sanctions
Enterprise application integration approvals can be withdrawn when the owner fails to meet minimum security requirements as specified in this document. Individual users found responsible for disclosure of confidential or sensitive data as a result of unauthorized or abuse of access or other violations of the Responsible Use of Information Resources (SPG 601.07) are subject to sanctions provided for in that SPG.