Security & Privacy

The Information Assurance (IA) Office leads IT security, privacy, identity and access, and IT policy and compliance efforts that enable the university to excel in its teaching, research, and patient care missions.

Information assurance is a shared responsibility, and every member of the U-M community has an important role to play. IA staff members work with Security Unit Liaisons (SULs) and other staff in units across the university to coordinate and leverage university information assurance activities to help meet a variety of legal, regulatory, and university requirements, and ultimately support the university and unit missions.

Strategic Pillars

  • One U-M Information Assurance Program. Providing a consistent approach across UM-Ann Arbor, UM-Dearborn, UM-Flint, and Michigan Medicine.
  • Risk-Based. Striving to secure the most sensitive and at-risk systems and data first. This helps us direct university IT security resources where they are most needed and will have the greatest impact.
  • Make it Easy. Supporting systems and investing in tools that make security the easy choice. For example, we are expanding the use of Duo two-factor authentication across the university to better protect U-M accounts, systems, and data. Duo offers multiple convenient options for users to choose from.
  • Shared Responsibility. Promoting a university-wide security culture so all U-M units and community members understand they are part of IT security at U-M. Everyone has an important part to play.
  • Faculty Engagement. Collaborating with faculty to contribute to IT security and privacy research and knowledge. We have participated in anti-phishing research and partner with faculty on events such as Privacy@Michigan and the Dissonance Speaker Series.

The pillars are built on the foundation of U-M IT policy.

How IA Supports U-M Units

  • Incident Response. IA coordinates response to serious IT security incidents in units and across the university. For non-serious IT security incidents, we analyze the situation and work with unit staff to develop and implement a plan for containment and mitigation. 
  • Threat Intelligence. Good threat intelligence helps us identify risks and threats before they turn into incidents. IA develops and deploys automated threat intelligence tools and processes that proactively defend U-M systems and data, including unit systems and data. We collaborate with Big Ten Academic Alliance schools to enhance and extend threat intelligence through a shared repository. 
  • Risk Management. IA maintains the U-M IT security risk assessment program, provides risk assessment services to the Ann Arbor campus, and supports risk assessment practices via standardized assessment tools for the entire university. IA: Michigan Medicine provides risk assessment services for Michigan Medicine. We also provide IT security and compliance assessments during system development and vendor procurement.
  • Vulnerability Management. IA conducts regular scans for vulnerabilities and notifies units when vulnerabilities are found. Additional scans and penetration testing are available on request.
  • Identity and Access Management (IAM). IA's IAM team connects the U-M community to services, resources, and information by providing consolidated identity information that can be used to manage access and enable collaboration in support of the university’s mission. The IAM team provides operational support for a framework of business processes, technology, and information that facilitates the management of digital identities, authentication, and passwords. While Michigan Medicine and the UM-Ann Arbor campus have separate IAM programs, the teams are  increasingly are sharing tools and platforms (for example, the university's two-factor solution, Duo). 
  • Compliance. IA supports numerous compliance stakeholders across U-M, collaborating on legal and regulatory compliance efforts related to HIPAA, CUI, FISMA, GLBA, GDPR, Export Controls, PCI, the Common Rule, and more.
  • Privacy Guidance. IA invites the university community to discuss privacy issues through campus events, including the Dissonance Speaker Series, and provides privacy tips and resources. A privacy program for the university is under development.
  • Network Security. IA provides strategic direction and input for U-M's network protection technologies and services, including firewalls and intrusion protection systems.
  • Education and Awareness. IA offers IT security and privacy education and awareness information for the U-M community at Safe Computing through articles in U-M publications and targeted emails, and at events like SUMIT and the Dissonance Speaker Series. We also offer IT security training and self-phishing education.
  • Unit Guidance. IA provides guidance and tools to units to help protect unit IT and meet the requirements detailed in the university's IT security policy and standards, as well as comply with data protection laws and regulations. Our most popular tool is the Sensitive Data Guide, which lists which storage and sharing services available at U-M are approved for which sensitive data types. In addition, IA staff are available to consult and assist.

U-M Information Assurance Leadership

  • Sol Bermann, University Privacy Officer and Interim Chief Information Security Officer (CISO), accountable for IT security across UM-Ann Arbor, UM-Dearborn, UM-Flint, and Michigan Medicine.
  • Jack Kufahl, Michigan Medicine CISO, accountable for IT security within Michigan Medicine.

How to Contact IA

  • Your Security Unit Liaison (see SUL directory). For most things, your SUL will work directly with IA. IA holds quarterly SUL meetings and communicates regularly with SULs via email. SULs and unit IT staff may request IA services on behalf of their unit.
  • ITS Service Center. You and your staff can ask IT security, privacy, and identity and access management questions and request IA services through the ITS Service Center.
  • Incident Response. Report IT security incidents to [email protected] (that group includes the IA incident responders and the U-M and Michigan Medicine CISOs).