Information Technology Policies Under Review

IT policies and standards are regularly reviewed and updated as needed, in accordance with Development of University Policy (SPG 601.35), the Procedures for Development of University Policy, and the IT Policy Development and Administration Framework.

The IT policies and standards below are currently under revision or development. Drafts, where available, are open for review. Members of the university community are welcome to provide feedback at [email protected].

Policies and Standards Under Review

Security Log Collection, Analysis, and Retention (DS-19) - REVISION

  • Revision stage: This standard is being revised to include updated requirements for security log collection.
  • Summary of proposed changes is available for review (U-M login required). Contact [email protected] with questions and comments.
  • TARGET COMPLETION DATE: Winter 2025.

Access, Authorization, and Authentication Management (DS-22) - REVISION

  • Revision stage: This standard is being revised to 1) remove outdated references and sections, 2) add a requirement on the use of default passwords, and 3) add a requirement for two-factor authentication for remote access to U-M systems.
  • Draft of the revision is available for review (U-M login required). Contact [email protected] with questions and comments.
  • TARGET COMPLETION DATE: Winter 2025.

Institutional Data Resource Management (SPG 601.12) - REVISION

  • Revision stage: This policy is being updated to reflect changes to technology and the U-M Data Governance Framework.
  • Executive summary is available for review (U-M login required). Contact [email protected] with questions and comments.
  • TARGET COMPLETION DATE: Winter 2025.

Information Security Incident Reporting (SPG 601.25) - REVISION

  • Revision stage: This policy is being updated to make it clearer and more concise.
  • Executive summary is available for review (U-M login required). Contact [email protected] with questions and comments.
  • TARGET COMPLETION DATE: Winter 2025.

Recently Updated Policies and Standards

IP Addressing (601.15) and Domain Naming (SPG 601.15-1)

  • IP addressing has become a common practice that does not require SPG-level oversight, while the complexity of domain naming has outgrown the parameters specified in the policy. SPG 601.15 and SPG 601.15-1 have been merged into one streamlined policy. See the Executive Update Summary for more details (U-M login required)
  • UPDATE DATE: July 25, 2024.

Endpoint Security Administration (DS-23)

  • The Endpoint Security Administration (DS-23) standard focuses on required security measures for all university-owned systems, including broad implementation of enterprise enhanced endpoint protection (CrowdStrike Falcon); adherence to principle of least functionality; and creating and maintaining an inventory of university-owned systems. See the Executive Summary for more details (U-M login required).
  • UPDATE DATE: December 4, 2024.

Network Security (DS-14)