Information Technology Policies Under Review

IT policies and standards are regularly reviewed and updated as needed, in accordance with Development of University Policy (SPG 601.35), the Procedures for Development of University Policy, and the IT Policy Development and Administration Framework.

The IT policies and standards below are currently under revision or development. Drafts, where available, are open for review. Members of the university community are welcome to provide feedback at [email protected].

Policies and Standards Under Review

Institutional Data Resource Management (SPG 601.12) - REVISION

  • Revision stage: This policy is being updated to reflect changes to technology and the U-M Data Governance Framework.
  • Executive summary is available for review (U-M login required). Contact [email protected] with questions and comments.
  • TARGET COMPLETION DATE: Summer 2025.

Information Security Incident Reporting (SPG 601.25) - REVISION

  • Revision stage: This policy is being updated to make it clearer and more concise.
  • Executive summary is available for review (U-M login required). Contact [email protected] with questions and comments.
  • TARGET COMPLETION DATE: Summer 2025.

Recently Updated Policies and Standards

Endpoint Security Administration (DS-23)

  • The Endpoint Security Administration (DS-23) standard focuses on required security measures for all university-owned systems, including broad implementation of enterprise enhanced endpoint protection (CrowdStrike Falcon); adherence to principle of least functionality; and creating and maintaining an inventory of university-owned systems. See the Executive Summary for more details (U-M login required).
  • UPDATE DATE: December 4, 2024.

Network Security (DS-14)

  • The Network Security (DS-14) standard was revised to include new requirements for network security and updated roles and responsibilities. See Summary of changes for more details (U-M login required).
  • UPDATE DATE: February 18, 2025.

Security Log Collection, Analysis, and Retention (DS-19)

Access, Authorization, and Authentication Management (DS-22)

  • The Access Authorization, and Authentication Management (DS-22) standard was revised to remove outdated references and sections, added a requirement on the use of default passwords, and added a requirement for two-factor authentication for remote access to U-M systems. See the Revision draft for more details (U-M login required).
  • UPDATE DATE: June 26, 2025