Information Security Policy

Applies to: All Faculty and Staff


This policy establishes University-wide strategies and responsibilities for protecting the confidentiality1, integrity, and availability of the information assets that are accessed, managed, and/or controlled by the University. Information assets addressed by the policy include data, information systems, computers, network devices, as well as documents and verbally2 communicated information.

By implementing this policy, the University will:

  • Establish a University-wide information security framework to appropriately secure access to information resources and services;
  • Protect against unauthorized access to, use, or sharing of, sensitive information that could potentially result in harm to the University or to members of the University community;
  • Protect against anticipated threats or hazards to the security of information assets;
  • Comply with federal, state, and local law, University policies, and agreements binding the University that require the University to implement applicable security safeguards.


Additional information that supports this policy can be found in the Information Security Policy Supplement.

  1. Members of the University community have individual and shared responsibilities to protect the information assets controlled by the University in accordance with federal, state, and local law, University policies, and agreements binding the University.
  2. Each University unit will develop, maintain, and implement an information security plan. The plan will identify applicable regulations and will define unit security initiatives.
  3. Each University unit will identify and track sensitive and critical Information assets under its control. Information assets will be classified relative to the level of risk that their compromise may pose to the institution. Information asset classification standards and guidelines will be adhered to.
  4. Each University unit will periodically conduct risk assessments around its sensitive and critical information assets. Risk assessments will prioritize risks and recommend appropriate mitigation strategies.
  5. Each University unit will report and manage information security incidents in accordance with established policies and guidelines, including SPG 601.25, Information Security Incident Reporting.
  6. Each University unit will implement Security safeguards that are appropriate to information asset sensitivity, criticality, and the level of risk identified in the risk assessment process.


University Deans and Directors are responsible for implementing and ensuring compliance with this policy. Responsibilities include:

  1. Communicating this policy to their community and ensuring appropriate education and training;
  2. Designating individuals to unit information security roles, ensuring they are properly trained, and ensuring their ongoing participation in University-wide security activities;
  3. Ensuring the implementation of information security plans within their units;
  4. Ensuring unit collaboration on the implementation of the University-wide IT Security Program.

The Chief Information Technology Security Officer is responsible for:

  1. Directing and coordinating the University-wide IT Security Program;
  2. Determining unit-level compliance with this policy;
  3. Providing a focal point for oversight of serious security incidents as indicated in SPG 601.25, Information Security Incident Reporting;
  4. Establishing security metrics, tracking the progress of the IT Security Program, and providing a University-wide risk profile;
  5. Assisting units in fulfilling their information security requirements.


AVAILABILITY refers to the level of assurance that authorized users have access to information resources when required.

CONFIDENTIALITY refers to the level of assurance that information is not made available or disclosed to unauthorized individuals, entities, or processes.

CRITICALITY refers to the relative importance of the information to the mission of the University, and reflects the degree to which the information requires protection to ensure it is not accidentally or maliciously altered or destroyed.

INFORMATION ASSET refers to data, system, computer, network device, document, or any other component of the university infrastructure which stores, processes or transmits data.

INTEGRITY refers to the assurance that information is not accidentally or maliciously altered or destroyed.

SECURITY SAFEGUARDS refer to protective measures prescribed to meet security requirements (i.e., confidentiality, integrity, availability) specified for an information asset or environment. Also called security controls or countermeasures.

SENSITIVE INFORMATION refers to information whose unauthorized disclosure may have serious adverse effect on the University’s reputation, resources, services, or individuals. Information protected under federal or state regulations or due to proprietary, ethical, or privacy considerations will typically be classified as sensitive.

SENSITIVITY refers to the degree to which information requires protection to ensure it is not exposed to unauthorized users.

UNIT refers to any organization across the University such as a school, college, department, or central office. The Health System as well as the Flint and Dearborn campuses are considered University units.


Data Steward/Data Manager List (http://cio.umich.edu/data-stewardship/data-management.php )

UMHS HIPAA Information (http://www.med.umich.edu/u/hipaa/index.htm)

U-M GLBA Information Security Program (https://www.safecomputing.umich.edu/sites/default/files/UM-GLBA-Information-Security-Program.pdf)

University Statement on Stewardship (https://hr.umich.edu/about-uhr/statement-stewardship)

University Student Rights and Records Policy (http://ro.umich.edu/ferpa/)


1  Words that appear in italics are defined in the Definitions section.

2  HIPAA http://www.med.umich.edu/u/hipaa/index.htm requires taking reasonable precautions when verbally communicating protected health information. Precautions should also be taken when verbally communicating other sensitive information.

SPG Number
Date Issued
Next Review Date
Applies To
All Faculty and Staff
Office of the Executive Vice President and Chief Financial Officer, the Office of the Provost and Executive Vice President for Academic Affairs, and the Office of the Executive Vice President for Medical Affairs
Primary Contact
Office of the CIO