Information security policy revised and approved


The revised University of Michigan policy Information Security (SPG 601.27) was recently approved, along with a number of new Information Technology Standards, and will be phased in over the next two years. The policy, which is included in the university’s Standard Practice Guide, and its accompanying standards represent the most comprehensive revision of the institution’s information security program since its inception over a decade ago.

SPG 601.27 and the standards are based on a cybersecurity risk management framework that incorporates best practices for protecting U-M’s critical IT infrastructure and data assets.

The implementation of the policy and standards will take some time given the more detailed nature of the standards. Implementation will be phased in over two years, with an anticipated compliance date of Dec. 31, 2020. 

Policy revisions include broader institutional information security responsibility, more limited discretionary risk acceptance at the unit and clinic level, expanded and more specific guidance for units and clinics, and a new four-level data classification scheme for sensitive institutional data.

“Information security, particularly for a highly distributed and collaborative environment like our institution, is an evolving paradigm. The revised Information Security policy strives to balance appropriately securing the institution while supporting open collaboration and innovation in research, teaching, learning, and clinical care,” said Ravi Pendse, vice president for information technology and chief information officer.

“It also acknowledges that everyone—faculty, staff, and students—shares the responsibility for information security. We are all in this together.”

Meetings are being set up with university stakeholders, IT governance groups, and others to outline the implementation planning process. Meanwhile, Michigan Medicine’s Security Unit Liaison and others across the university are being asked to facilitate, coordinate, and communicate implementation planning.

“Information security is a shared responsibility. People, process, and technology must work in coordination to ensure a secure environment,” said Jack Kufahl, Michigan Medicine’s chief information security officer. “This new SPG establishes the expectation that we all do our part to protect U-M’s information assets.”

Initial opportunities and resources for getting everyone off to a good start include regularly updated guidance on the Safe Computing website, working sessions with HITS staff and other IT staff on the various campuses, and availability of existing IT services that are already aligned or working toward alignment with policy and standards requirements.  

Ongoing feedback will be a critical component of the implementation process. Michigan Medicine community members are encouraged to send their thoughts and ideas to