IT Policies Under Review
The policies listed below are in the review or development phase in accordance with the IT Policy Development and Administration Framework. Proposed drafts will be added as available and will be open for review and comment. Members of the university community are welcome to provide feedback regarding the current policy’s strengths and shortfalls, effectiveness, as well as what should be included or better accounted for in a revised policy.
The comments period for these policy revisions is closed.
Information Security Policy (SPG 601.27)
- Current Policy
- Proposed Policy
- Objectives of the revised Information Security Policy
- Proposed IT Security Standards to Support New SPG
The revised SPG 601.27 will be supported and supplemented by specific operational, procedural, and technical standards. The Standards will be mandatory and enforced in the same manner as the policy. They will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.
Drafts of the revised SPG 601.27 and the following Standards are available for campus community feedback:
- Access, Authentication, and Authorization Management
- Disaster Recovery Planning for Information Systems and Services
- Electronic Data Disposal and Media Sanitization
- Information Assurance Awareness, Training, and Education
- Information Security Risk Management
- Network Security
- Physical Security
- Requests for Exception to Information Security Policy
- Secure Coding and Application Security
- Security of Enterprise Application Integration
- Security Log Collection, Analysis, and Retention
- Third Party Vendor Security and Compliance
- Vulnerability Management
About Data Enclaves: The proposed policy includes the concept of a data enclave. While we refine our definition, see ICPSR's description of their virtual data enclave model as an example of how one such environment operates.
Comprehensive Review: The Information Security Policy SPG is the overarching policy that lays out the framework and principles designed to protect the information assets and institutional sensitive data of the university. The SPG was originally issued in 2008, soon after U-M first established a separate information security group and program. Given the significant increase in cyber attacks directed at higher education institutions and the attendant costs and risks associated with such attacks, it is important that this policy be revised and updated to satisfactorily provide for 21st century security best practices in a manner while supporting and advancing U-M’s core missions.
Institutional Data Resource Management Policy (SPG 601.12)
Comprehensive Review: The Institutional Data Resource Management SPG is the U-M policy that establishes principles for the management of institutional data in a manner that optimizes its confidentiality, integrity, quality, and availability. The policy also addresses additional issues such as determining access rights to data, compliance with federal and state laws and regulations, and ensuring high-quality data resources are readily available to decision-makers. The revised policy will incorporate changes to U-M data classification and security objectives and expectations.
The SPG was originally issued in 1994 and was reviewed and revised in 2008
Domain Name System Standards at the University of Michigan (SPG 601.15-1)
Comprehensive Review: The Domain Name System Standards SPG is the U-M policy detailing how the university interprets international standards to assign domain names and URLs to specific departments, programs, services, or initiatives. While largely a technical issue with an easily determined outcome in most situations, there is a need for an exception process and for a decision-making process related to making exceptions and resolving requests that have reputational ramifications.
The SPG was originally issued in 1997 and has never been revised. A multi-department working group met in 2011 and drafted the attached guidelines to serve as a proposed alternative to the SPG, which is the starting point for the current formal review.
- Customer Relations
- Michigan IT