Standard number: DS-16
Date issued: 7/1/2018
Date last reviewed: 3/3/2022
Date of next review: 6/30/2025
Version: 1.1
Approval authority: Vice President for Information Technology and CIO
Responsible office: Information Assurance
This Standard supports and supplements the Information Security (SPG 601.27) policy. The Standard is mandatory and enforced in the same manner as the policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.
I. Overview
Protecting the confidentiality, integrity, and availability of U-M systems and data is the responsibility of all members of the U-M community. By participating in information assurance awareness, training and education, members of the U-M community can help reduce the risk of data breaches, maintain compliance with applicable laws, regulations, contractual agreements, and U-M policies, and ultimately help protect U-M systems and data. As an additional benefit, information assurance education and awareness provides individuals with the knowledge and skills that help them protect their own devices and data.
II. Scope
This standard applies to the Ann Arbor campus, Michigan Medicine, UM-Dearborn, UM-Flint, all affiliates, and all faculty, staff, workforce members, and sponsored affiliates. The scope includes general and topic-specific awareness activities, training, and required access compliance for all users of U-M information resources. It does not include required or optional specialized training and certification courses for IT professionals.
III. Roles and Responsibilities
- Chief Information Security Officer (CISO)
- Support a university-wide awareness, training, and education program and advocate for resources and funding;
- Collaborate with other university stakeholders to ensure support and dissemination of communications are maintained;
- Provide guidance on the strategic direction, planning, and prioritization.
- Information Assurance (IA)
- Responsible for promoting information assurance awareness and related communications to the university community;
- Maintain Safe Computing website with up-to-date guidance, tips, and how-to instructions;
- Develop and manage online security-related modules;
- Contribute to multiple repositories of compliance and security materials;
- Ensure the program meets University and industry regulations, standards, and compliance requirements;
- Integrate and support broader university-wide education and awareness efforts;
- Assess current and planned education and awareness systems for consistency and improvement;
- Coordinate and track education and awareness ongoing activities and projects;
- Foster relationships with internal and external customers and collaborate with teams, stakeholders and partners to understand and implement improvements;
- Collaborate with teams to develop education and awareness materials and help support training needs.
- Unit IT Managers & Security Unit Liaisons
- Collaborate with IA to meet shared awareness, training and educational needs;
- Develop and implement ongoing unit-based awareness activities and training as needed;
- Participate in the dissemination of educational and awareness materials to their units;
- Ensure that all users (including vendors and contractors) of their systems and applications are appropriately trained before allowing them access to enterprise or unit-specific systems and applications.
- Users
- Understand and comply with U-M information security policies, practices, and procedures, especially Responsible Use of Information Resources (SPG 601.07), Information Security Incident Reporting (SPG 601.25), and Information Security (SPG 601.27);
- Be aware of actions they can take to better protect U-M information resources for which they are responsible, as well as their own information;
- As appropriate, be knowledgeable about complying with federal and state regulations directed at protecting sensitive institutional and personal data.
IV. Standard
The university offers information assurance awareness, education, and training activities, informational and instructional resources, and programs that enable members of the university community to carry out their shared responsibility to protect U-M’s most sensitive institutional information assets. The university and its units may at their discretion mandate U-M faculty, staff, and workforce members to complete specific training and compliance activities based on access to sensitive institutional data, Additional training requirements may be established by units based on needs of specific work environments.
Users are the single most important group of people that can help to reduce unintentional errors, unauthorized disclosures, and IT vulnerabilities. Users include employees (faculty, researchers, clinical team members, workforce, staff), affiliates, contractors and other third parties, and students. U-M employees are expected to engage in regular data protection awareness, education, and training courses and campaigns. In addition, certain job functions or working with specific types of data may require additional specialized training or education.
To ensure that U-M employees and workforce members stay up-to-date on required training, it is recommended that participation in information assurance training and awareness be included, when appropriate, in staff work plans and be reflected in performance evaluations.
Security training certification records for U-M employees who successfully complete training modules in U-M’s web-based learning and information center are maintained throughout the employment of the staff member. For Michigan Medicine workforce, training records are maintained in the Michigan Medicine Learning Management System. It is recommended that units that require additional training maintain records of individual staff member participation.
V. References
VI. Related NIST Security Controls
- Building a Cybersecurity and Privacy Learning Program, NIST SP 800-50 Rev. 1 (September 2024)
- NIST SP 800-53 Revision 5:
- AT-01 Security Awareness and Training Policy and Procedures
- AT-02 Security Awareness Training
- AT-03 Role-Based Security Training
- AT-04 Security Training Records