Information Technology Standards

IT Standards support and supplement IT policies. They provide requirements and technical specifications for complying with university policies and applicable laws and regulations.

IT Standards are mandatory and are enforced in the same manner as the university policies to which they are related.


IT Standard Summary Guidance
Accessibility Standard (AS-01) Related to Electronic and Information Technology Accessibility (SPG 601.20). The university IT and digital resources should strive to meet technical accessibility requirements in order to ensure accessibility for persons with disabilities.  
Unit-Specific Requirements for Employee Self-Management of Personally Owned Devices that Access Sensitive Institutional Data (DS-07) The university policy on Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33) directs members of the university community to access or maintain sensitive institutional data on personally owned devices only when necessary for the performance of university-related duties and activities. This standard communicates units’ discretionary authority to adopt and enforce requirements for use of personally owned devices that are more specific or restrictive than defined in the policy. Sensitive U-M Data on Personal Devices
Security of Enterprise Application Integration (DS-09) Related to Information Security (SPG 601.27). When Application Programming Interfaces (APIs) that allow for connection to U-M systems with sensitive data are used, specific security provisions must be in place. Access, Authorization, and Authentication
Social Security Number Privacy and Protection (DS-10) Related to Information Security (SPG 601.27) and Privacy and the Need to Monitor and Access Records (SPG 601.11) The university establishes security requirements to protect the privacy of individuals who provide Social Security Numbers and to manage its records and record systems responsibly. SSN best practices - Coming soon
Electronic Data Disposal and Media Sanitization (DS-11) Related to Information Security (SPG 601.27). All U-M owned devices must be sanitized according to this standard prior to disposal as surplus. No device or storage media containing personally identifiable information or any data classified as Restricted, High, or Moderate can be transferred or disposed of as surplus unless the appropriate UM-approved sanitization methodology has been completed and certified. Securely Dispose of U-M Data and Devices
Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12) Related to Information Security (SPG 601.27). All units and research programs that maintain critical information technology systems will develop, implement, and regularly test disaster recovery plans for those systems. Data backups are required for all mission critical systems and for any system or machine that creates, processes, maintains, or stores data classified as Restricted or High. The standard also sets Disaster Recovery Performance Objectives by Service Tier Criticality Level.

Disaster Recovery Management

Back Up U-M Data

Information Security Risk Management (DS-13) Related to Information Security (SPG 601.27). The standard sets requirements for each phase of the Information Security risk management lifecycle based on data sensitivity levels and system criticality. All information systems that create, process, store, or transmit Restricted or High data must be assessed for risk. All mission critical information systems must be assessed for risk, regardless of the sensitivity level of the data they create, process, store, or transmit. Risks included in a Risk Treatment Plan must be mitigated or accepted within 180 days. Information Security Risk Management
Network Security (DS-14) Related to Information Security (SPG 601.27). This standard describes the requirements that help to ensure the confidentiality, integrity and availability of network resources at U-M. It is currently under revision. Network Security Management
Encryption (DS-15) Related to Information Security (SPG 601.27). Where technically feasible, the university requires data classified as Restricted or High to be encrypted at rest or in transit, depending on storage location, type of device, or whether it is inside or outside the U-M network. Encryption
Information Assurance Awareness, Training, and Education (DS-16) Related to Information Security (SPG 601.27). U-M employees are expected to engage in regular data protection awareness, education, and training courses and campaigns. In addition, certain job functions or working with specific types of data may require additional specialized training or education Training, Education, and Awareness
Physical Security (DS-17) Related to Information Security (SPG 601.27). Any U-M facility at which data classified as Restricted or High is processed or stored must implement physical security controls based on the risks associated with unauthorized access and the type of facility in which the data are maintained. All units are required to document and implement the procedures necessary to comply with this Standard, and train their faculty and staff on them. Physical Security
Secure Coding and Application Security (DS-18) Related to Information Security (SPG 601.27). This standard identifies secure coding practices and lays out expectations for applying them based on data sensitivity levels. Secure Coding & Application Security
Security Log Collection, Analysis, and Retention (DS-19) Related to Information Security (SPG 601.27). Logging must be enabled at the operating system, application and database, and device levels when data classified as Restricted, High, and Moderate are created, processed, maintained, transmitted, or stored. The standard specifies roles, responsibilities, and retention periods. It is currently under revision. Security Log Management
Third Party Vendor Security and Compliance (DS-20) Related to Information Security (SPG 601.27). Prior to establishing a contractual relationship with a vendor, U-M units must identify the data that will be shared with or accessed by the vendor and the appropriate data classification. The standard specifies assessment and contractual requirements based on data sensitivity levels. Third Party Vendor Security & Compliance
Vulnerability Management (DS-21) Related to Information Security (SPG 601.27). This standard sets expectations for vulnerability scanning frequency based on data sensitivity levels (monthly scanning required for Restricted or High data) and remediation timeframes (1 month for critical- and 3 months for high-priority vulnerabilities). Vulnerability Management
Access, Authorization, and Authentication Management (DS-22) Related to Information Security (SPG 601.27). This standard establishes the framework for provisioning and deprovisioning access by staff and workforce members to U-M systems and applications that create, process, maintain, transmit, or store sensitive institutional data. It also sets authentication requirements, including the use of two-factor authentication to protect U-M’s most sensitive data and computing resources. Access, Authorization, and Authentication
eDiscovery at the University of Michigan (DM-08) Related to Institutional Data Resource Management Policy (SPG 601.12). U-M is obligated to make good faith efforts to preserve electronically stored information that could be relevant to pending or reasonably anticipated lawsuits and to potentially retrieve and produce this information in the course of the litigation process. The guidelines in the standard also apply to paper and other media containing information relevant to a given case.  
HIPAA Code of Conduct and Confidentiality Agreement (C-03) Related to Responsible Use of Information Resources (SPG 601.07), Privacy and the Need to Monitor and Access Records (SPG 601.11), and Information Security (SPG 601.27). The agreement enumerates U-M staff's responsibilities for appropriately accessing and maintaining Protected Health Information (PHI) as defined by the Health Information Portability and Accountability Act (HIPAA). Using ITS HIPAA-Aligned Services