Minimum Information Security Requirements for Systems, Applications, and Data

U-M's Information Security policy (SPG 601.27) and the U-M IT security standards apply to all U-M units, faculty, staff, affiliates, and vendors with access to U-M institutional data. Federal or state regulations and contractual agreements may require additional actions that exceed those included in U-M's policies and standards.

Use the table below to identify minimum security requirements for your system or application. To use the table, you need to do both of the following:

Requirements are organized by standard:

Icon Key:

  • checkmark icon Required
  • circle icon Recommended
  • minus icon Not applicable
  • X icon Not allowed

Access, Authentication, and Authorization Management

Access, Authentication, and Authorization Management (DS-22)

Access, Authentication, and Authorization Management

Access, Authentication, and Authorization Management (DS-22)

Security Requirement
Mission Critical?
Restricted
High
Moderate
Low

Uniquely identify individual system users

Not Applicable Restricted High Moderate Not Applicable

Include responsible use notification and user acknowledgement at login

Not Applicable Restricted High Moderate Not Applicable

Grant the minimum, sufficient access or privileges

Not Applicable Restricted High Moderate Not Applicable

Separate duties related to granting of access

Not Applicable Restricted High Moderate Not Applicable

Require training and agreement prior to access

Not Applicable Restricted High Moderate Not Applicable

Employ role-based access controls

Not Applicable Restricted High Not Applicable Not Applicable

(Users) Access sensitive data only as necessary for job duties

Not Applicable Restricted High Moderate Not Applicable

(Users) Log out or lock unattended workstations

Not Applicable Restricted High Moderate Not Applicable

Revoke access upon termination of personnel appointments

Not Applicable Restricted High Moderate Not Applicable

Review accounts at least annually

Not Applicable Restricted High Moderate Not Applicable

Meet related regulatory and/or contractual obligations

Not Applicable Restricted High Moderate Not Applicable

Designate owners to manage privileged accounts

Not Applicable Restricted High Moderate Not Applicable

Designate owners to manage shared accounts

Not Applicable Restricted High Moderate Not Applicable

Encrypt authentication and authorization mechanisms

Not Applicable Restricted High Moderate Not Applicable

Manage passwords and password processing securely

Not Applicable Restricted High Moderate Not Applicable

Enable session lock after inactivity

Not Applicable Restricted High Not Applicable Not Applicable

Require two-factor authentication for system access

Not Applicable Restricted High Not Applicable Not Applicable

Awareness, Training, and Education

Information Assurance Awareness, Training, and Education (DS-16)
Guidance: Training, Education & Awareness

Awareness, Training, and Education

Information Assurance Awareness, Training, and Education (DS-16)
Guidance: Training, Education & Awareness

Security Requirement
Mission Critical?
Restricted
High
Moderate
Low

Establish training requirements for those having access to sensitive data

Not Applicable Restricted High Moderate

Address training participation in performance management processes

Not Applicable

Maintain records of participation in required training

Not Applicable

Disaster Recovery Planning and Data Backup for Information Systems and Services

Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12)
Guidance: Disaster Recovery ManagementBack Up U-M Data

Disaster Recovery Planning and Data Backup for Information Systems and Services

Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12)
Guidance: Disaster Recovery ManagementBack Up U-M Data

Security Requirement
Mission Critical?
Restricted
High
Moderate
Low

Identify mission critical systems

Critical Restricted High Moderate Low

Develop, implement and test DR plans for critical systems

Critical Not Applicable Not Applicable Not Applicable Not Applicable

Review DR plans and subsequently update/test as necessary

Critical Not Applicable Not Applicable Not Applicable Not Applicable

Evaluate new systems prior to go-live

Critical Restricted High Moderate Low

Incorporate a disaster risk assessment

Critical Not Applicable Not Applicable Not Applicable Not Applicable

Establish DR performance objectives

Critical Not Applicable Not Applicable Not Applicable Not Applicable

Align data backup procedures with DR objectives

Critical Restricted High Not Applicable Not Applicable

Ensure DR plan availability

Critical Not Applicable Not Applicable Not Applicable Not Applicable

Identify primary responsibility for data backup

Critical Restricted High Moderate Low

Ensure backups are encrypted

Not Applicable Restricted High Not Applicable

Ensure contracts with vendors include DR and data backup SLAs

Critical Restricted High Not Applicable Not Applicable

Electronic Data Disposal and Media Sanitization

Electronic Data Disposal and Media Sanitization (DS-11)
Guidance: Securely Dispose of U-M Data and Devices

Electronic Data Disposal and Media Sanitization

Electronic Data Disposal and Media Sanitization (DS-11)
Guidance: Securely Dispose of U-M Data and Devices

Security Requirement
Mission Critical?
Restricted
High
Moderate
Low

Sanitize device/storage media before transfer

Not Applicable Restricted High Moderate Low

Ensure sanitization methods meet the Standard's requirements

Not Applicable Restricted High Moderate Low

Retain certificates of sanitization for 3 years

Not Applicable Restricted High Moderate Low

Remove licensed software from device/storage media before transfer

Not Applicable Restricted High Moderate Low

Encryption

Encryption (DS-15)

Encryption

Encryption (DS-15)

Security Requirement
Mission Critical?
Restricted
High
Moderate
Low

Use encryption that meets NIST FIPS minimum requirements

Not Applicable Restricted High Moderate

Encrypt data at rest in data centers

Not Applicable

Encrypt data at rest in machine rooms

Not Applicable Restricted High

Encrypt data at rest on portable and removable storage media

Not Applicable Restricted High

Encrypt data at rest on laptops (UM-owned)

Not Applicable Restricted High

Encrypt data at rest on desktops (UM-owned)

Not Applicable Restricted

Encrypt data at rest with cloud providers

Not Applicable Restricted High

Encrypt data at rest on personally owned devices

Not Applicable Not Allowed High

Encrypt all CUI data at rest

Not Applicable Not Applicable High Not Applicable Not Applicable

Encrypt data backups outside U-M data centers

Not Applicable Restricted High Not Applicable Not Applicable

Encrypt data in transit within U-M campuses

Not Applicable

Encrypt data in transit between U-M campuses

Not Applicable Restricted High

Encrypt data in transit outside U-M campuses

Not Applicable Restricted High

Implement an appropriate key management plan

Not Applicable Restricted High

Comply with applicable export/import laws and regulations

Not Applicable Restricted High Moderate Low

Information Security Risk Management

Information Security Risk Management (DS-13)
Guidance: Information Security Risk Management

Information Security Risk Management

Information Security Risk Management (DS-13)
Guidance: Information Security Risk Management

Security Requirement
Mission Critical?
Restricted
High
Moderate
Low

Categorize IT assets according to their sensitivity and criticality

Critical Restricted High Moderate Low

Conduct risk assessments annually

Not Applicable Restricted Not Applicable Not Applicable Not Applicable

Conduct risk assessments every four years

Critical Not Applicable High

Conduct a risk assessment soon after a serious IT security incident

Critical Restricted High Moderate Low

Conduct any risk assessments required by regulation or law

Critical Restricted High Moderate Low

Use RECON or other approved tool(s) for any required risk assessments

Critical Restricted High

Provide IA with results of unit-conducted risk assessments

Critical Restricted High Moderate Low

Maintain risk assessment data as confidential, classified as High

Critical Restricted High Moderate Low

Develop post-assessment plans to reduce risks to acceptable levels

Critical Restricted High Moderate Low

Implement the appropriate risk-reducing controls

Critical Restricted High Moderate Low

Authorize acceptance of unmitigated risks

Critical Restricted High Moderate Low

Assist IA with tracking Risk Treatment Plan progress

Critical Restricted High Moderate Low

Network Security

Network Security (DS-14)

Network Security

Network Security (DS-14)

Security Requirement
Mission Critical?
Restricted
High
Moderate
Low

Implement default-deny, least-privilege policies on network firewalls

Critical Restricted High Moderate Not Applicable

Isolate trusted networks containing sensitive data from non-trusted networks

Not Applicable Restricted High Moderate Not Applicable

Securely configure network infrastructure devices

Critical Restricted High Moderate Low

Maintain accurate network documentation

Critical Restricted High Moderate Low

Document network interconnects to non-UM parties

Critical Restricted High Moderate Low

Protect devices not requiring exposure to the internet

Critical Restricted High Moderate Low

Restrict vendor remote network access to the smallest segment feasible

Not Applicable Restricted High Not Applicable Not Applicable

Obtain authorization before extending any U-M networks

Critical Restricted High Moderate Low

Encrypt wireless network traffic

Not Applicable Restricted High Moderate Not Applicable

Physical Security

Physical Security (DS-17)

Physical Security

Physical Security (DS-17)

Security Requirement
Mission Critical?
Restricted
High
Moderate
Low

Document and implement physical security procedures, train faculty and staff

Restricted High

Formalize procedures for granting access to U-M/unit data centers

Restricted High

Limit physical access to systems containing PHI

Not Applicable Not Applicable High Not Applicable Not Applicable

Restrict physical access to only those authorized

Not Applicable Restricted High Not Applicable Not Applicable

Maintain accurate lists of those authorized to access secure locations

Not Applicable Restricted High Not Applicable Not Applicable

Review authorization lists regularly

Not Applicable Restricted High Not Applicable Not Applicable

Implement appropriate access control mechanisms and logging

Not Applicable Restricted High Not Applicable Not Applicable

Place sensitive/critical equipment in access-controlled areas

Critical Restricted High Moderate Not Applicable

Prohibit sharing of access credentials

Not Applicable Restricted High Not Applicable Not Applicable

Require that personnel identification be displayed within secured locations

Not Applicable Restricted High Not Applicable Not Applicable

Implement 24/7 video surveillance

Not Applicable Restricted High Not Applicable Not Applicable

Escort authorized vendors/visitors within secured locations

Not Applicable Restricted High Not Applicable Not Applicable

Log all vendor/visitor access to secured locations

Not Applicable Restricted High Not Applicable Not Applicable

Prohibit food and drink in secured locations

Not Applicable Restricted High Not Applicable Not Applicable

Document maintenance activities and maintain records for three years

Not Applicable Restricted High Not Applicable Not Applicable

Lock doors after business hours and when unattended

Not Applicable Restricted High Not Applicable Not Applicable

Install output devices where they cannot be accessed by unauthorized parties

Not Applicable Restricted High Moderate Not Applicable

Store unencrypted media containing sensitive data in secure locations

Not Applicable Restricted High Moderate Not Applicable

Develop and maintain disaster recovery and contingency plans

Not Applicable Restricted High Not Applicable Not Applicable

Place power equipment and cabling in safe locations

Not Applicable Restricted High Not Applicable Not Applicable

Install emergency power shutoff mechanisms in appropriate locations

Not Applicable Restricted High Not Applicable Not Applicable

Implement uninterruptible power supply (UPS)

Not Applicable Restricted High Not Applicable Not Applicable

Install and maintain fire detection and suppression

Not Applicable Restricted High Not Applicable Not Applicable

Install, maintain, and monitor temperature and humidity controls

Not Applicable Restricted High Not Applicable Not Applicable

Protect processing equipment from potential water leakage

Not Applicable Restricted High Not Applicable Not Applicable

Secure Coding and Application Security

Secure Coding and Application Security (DS-18)

Secure Coding and Application Security

Secure Coding and Application Security (DS-18)

Security Requirement
Mission Critical?
Restricted
High
Moderate
Low

Use Production, Staging, Test, and Development environments

Not Applicable Restricted High Moderate Not Applicable

Exclude sensitive data from Test and Dev, or obtain IA permission

Not Applicable Restricted High Not Applicable

Define security requirements early in the SDLC and evaluate compliance

Not Applicable Restricted High Moderate Not Applicable

Use the latest available external or third-party components

Not Applicable Restricted High Moderate Not Applicable

Avoid dynamic inclusion of software

Not Applicable Restricted High Moderate Not Applicable

Validate application input

Not Applicable Restricted High Moderate Not Applicable

Execute proper error handling

Not Applicable Restricted High Moderate Not Applicable

Authenticate users through central AuthN/AuthZ systems

Not Applicable Restricted High Not Applicable

Implement multi-factor authentication

Not Applicable Restricted High Not Applicable

Control access based on roles and the principle of least privilege

Not Applicable Not Applicable

Review individually-granted access annually

Not Applicable Restricted High Not Applicable

Provide for automated review of authorizations where possible

Not Applicable Restricted High Not Applicable

Encrypt external transmission of data

Not Applicable Restricted High Not Applicable

Implement application logs with important event data

Not Applicable Restricted High Moderate Not Applicable

Conduct code security reviews/audits for new or changed applications

Not Applicable Restricted High Not Applicable

Use effective quality assurance techniques prior to go-live

Not Applicable Restricted High Not Applicable

Remove obsolete or no longer supported or needed software

Not Applicable Restricted High Moderate Not Applicable

Implement and maintain a change management process

Not Applicable Restricted High Not Applicable

Security Log Collection, Analysis, and Retention

Security Log Collection, Analysis, and Retention (DS-19)
Guidance: Security Log Management

Security Log Collection, Analysis, and Retention

Security Log Collection, Analysis, and Retention (DS-19)
Guidance: Security Log Management

Security Requirement
Mission Critical?
Restricted
High
Moderate
Low

Enable logging for endpoints (workstations, desktops)

Not Applicable Restricted

Enable logging for all other systems (non-endpoint)

Not Applicable Restricted High Moderate

Include essential events and elements in logs

Not Applicable Restricted High Moderate

Consult Sensitive Data Guide to ensure appropriate storage of log data

Not Applicable Restricted High Moderate Not Applicable

Restrict log access to authorized individuals

Not Applicable Restricted High Moderate Low

Protect log data from unauthorized changes and operational problems

Not Applicable Restricted High Moderate

Automate alerting on logging failures

Not Applicable Restricted High

Send local logs to IA SEIM, meeting minimum delay requirements

Not Applicable Restricted High Not Applicable Not Applicable

Retain log data for duration required by policy and law

Not Applicable Restricted High Moderate Not Applicable

Keep security logs immediately available for 90 days

Not Applicable Restricted High Moderate

Purge unneeded logs securely

Not Applicable Restricted High Moderate

Third Party Vendor Security and Compliance

Third Party Vendor Security and Compliance (DS-20)
Guidance: Third Party Vendor Security & Compliance

Third Party Vendor Security and Compliance

Third Party Vendor Security and Compliance (DS-20)
Guidance: Third Party Vendor Security & Compliance

Security Requirement
Mission Critical?
Restricted
High
Moderate
Low

Adhere to U-M's Vendor Security and Compliance Assessment process

Critical Restricted High Moderate Low

Continuously manage vendor security compliance

Critical Restricted High Moderate Low

Vulnerability Management

Vulnerability Management (DS-21)
Guidance: Vulnerability Management

Vulnerability Management

Vulnerability Management (DS-21)
Guidance: Vulnerability Management

Security Requirement
Mission Critical?
Restricted
High
Moderate
Low

Conduct vulnerability scans at least monthly

Not Applicable Restricted High Not Applicable Not Applicable

Prioritize remediation/mitigation based on severity

Critical Restricted High Moderate Low

Develop corrective action plans for identified vulnerabilities

Critical Restricted High Moderate Low