Implementing Information Security (SPG 601.27) and Supporting Standards

In summer 2018, the revised Information Security (SPG 601.27) policy was published, along with a number of supporting IT standards.The policy and accompanying standards represent the most comprehensive revision of the university’s information security program since its inception over a decade ago.

  • Phased Compliance. All university units are participating in a two-year phased implementation process leading toward full compliance as of December 31, 2020.
  • Shared Responsibility. The policy and standards rely on a shared responsibility model in which the U-M community is expected to play its part protecting U-M’s critical IT infrastructure and data assets.
  • Information Assurance Support. Information Assurance (IA) staff are meeting with university stakeholders, IT governance groups, and others throughout the fall term to outline the implementation planning process.

Support from IA

IA will work with and support all U-M campuses and Michigan Medicine throughout the implementation. Here are some initial opportunities and resources:

  • Guidance on Safe Computing. Detailed guidance, documentation, and tools to support compliance with the policy and standards are being developed and published to the Safe Computing website under Protect Your Unit’s IT. Additional content will be added during the implementation period.

  • Standards Working Sessions. Starting in November/December 2018, IA will offer working sessions for unit IT staff. Each session will consist of a detailed walk-through of the requirements for each standard, along with opportunities for questions and individual consultations. Dates, times, and locations will be posted here once sessions have been scheduled.

  • Unit-Specific Implementation Planning Meetings. Units and departments can schedule individual implementation planning meetings with IA staff by emailing  

  • Compliance Using ITS Services. Units may find it easier and more efficient to use ITS services that are already aligned to specified requirements. See the Safe Computing Sensitive Data Guide to IT Services.

SULs to Facilitate

IA is asking each unit's Security Unit Liaison (SUL) to facilitate and coordinate their unit’s implementation planning. Specific objectives of this work include:

  • Reviewing the policy and standards to understand how they will apply in each unit (for example, many requirements apply only to sensitive institutional data classified as High or Restricted)

  • Planning how to meet the minimum security requirements applicable to information systems

  • Soliciting and incorporating input of unit IT staff, administrative and business system administrators, faculty, and/or researchers

  • Collaborating to identify potential resource needs or constraints

  • Determining how to best apprise unit leadership of progress