Minimum Information Security Requirements for Systems, Applications, and Data

U-M's Information Security policy (SPG 601.27) and the U-M IT security standards apply to all U-M units, faculty, staff, affiliates, and vendors with access to U-M institutional data. Federal or state regulations and contractual agreements may require additional actions that exceed those included in U-M's policies and standards.

Use the table below to identify minimum security requirements for your system or application. To use the table, you need to do both of the following:

Requirements are organized by standard:

Icon Key:

  • checkmark icon Required
  • circle icon Recommended
  • minus icon Not applicable
  • X icon Not allowed

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Access, Authentication, and Authorization Management

Access, Authentication, and Authorization Management (DS-22)

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Access, Authentication, and Authorization Management

Access, Authentication, and Authorization Management (DS-22)

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Uniquely identify individual system users

Restricted High Moderate

Include responsible use notification and user acknowledgement at login

Restricted High Moderate

Grant the minimum, sufficient access or privileges

Restricted High Moderate

Separate duties related to granting of access

Restricted High Moderate

Require training and agreement prior to access

Restricted High Moderate

Employ role-based access controls

Restricted High

(Users) Access sensitive data only as necessary for job duties

Restricted High Moderate

(Users) Log out or lock unattended workstations

Restricted High Moderate

Revoke access upon termination of personnel appointments

Restricted High Moderate

Review accounts at least annually

Restricted High Moderate

Meet related regulatory and/or contractual obligations

Restricted High Moderate

Designate owners to manage privileged accounts

Restricted High Moderate

Designate owners to manage shared accounts

Restricted High Moderate

Encrypt authentication and authorization mechanisms

Restricted High Moderate

Manage passwords and password processing securely

Restricted High Moderate

Enable session lock after inactivity

Restricted High

Require two-factor authentication for system access

Restricted High

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Awareness, Training, and Education

Information Assurance Awareness, Training, and Education (DS-16)
Guidance: Training, Education & Awareness

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Awareness, Training, and Education

Information Assurance Awareness, Training, and Education (DS-16)
Guidance: Training, Education & Awareness

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Establish training requirements for those having access to sensitive data

Restricted High Moderate

Address training participation in performance management processes

Maintain records of participation in required training

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Disaster Recovery Planning and Data Backup for Information Systems and Services

Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12)
Guidance: Disaster Recovery ManagementBack Up U-M Data

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Disaster Recovery Planning and Data Backup for Information Systems and Services

Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12)
Guidance: Disaster Recovery ManagementBack Up U-M Data

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Identify mission critical systems

Critical Restricted High Moderate Low

Develop, implement and test DR plans for critical systems

Critical

Review DR plans and subsequently update/test as necessary

Critical

Evaluate new systems prior to go-live

Critical Restricted High Moderate Low

Incorporate a disaster risk assessment

Critical

Establish DR performance objectives

Critical

Align data backup procedures with DR objectives

Critical Restricted High

Ensure DR plan availability

Critical

Identify primary responsibility for data backup

Critical Restricted High Moderate Low

Ensure backups are encrypted

Restricted High

Ensure contracts with vendors include DR and data backup SLAs

Critical Restricted High

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Electronic Data Disposal and Media Sanitization

Electronic Data Disposal and Media Sanitization (DS-11)
Guidance: Securely Dispose of U-M Data and Devices

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Electronic Data Disposal and Media Sanitization

Electronic Data Disposal and Media Sanitization (DS-11)
Guidance: Securely Dispose of U-M Data and Devices

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Sanitize device/storage media before transfer

Restricted High Moderate Low

Ensure sanitization methods meet the Standard's requirements

Restricted High Moderate Low

Retain certificates of sanitization for 3 years

Restricted High Moderate Low

Remove licensed software from device/storage media before transfer

Restricted High Moderate Low

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Encryption

Encryption (DS-15)

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Encryption

Encryption (DS-15)

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Use encryption that meets NIST FIPS minimum requirements

Restricted High Moderate

Encrypt data at rest in data centers

Encrypt data at rest in machine rooms

Restricted High

Encrypt data at rest on portable and removable storage media

Restricted High

Encrypt data at rest on laptops (UM-owned)

Restricted High

Encrypt data at rest on desktops (UM-owned)

Restricted

Encrypt data at rest with cloud providers

Restricted High

Encrypt data at rest on personally owned devices

Not Allowed High

Encrypt all CUI data at rest

High

Encrypt data backups outside U-M data centers

Restricted High

Encrypt data in transit within U-M campuses

Encrypt data in transit between U-M campuses

Restricted High

Encrypt data in transit outside U-M campuses

Restricted High

Implement an appropriate key management plan

Restricted High

Comply with applicable export/import laws and regulations

Restricted High Moderate Low

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Information Security Risk Management

Information Security Risk Management (DS-13)
Guidance: Information Security Risk Management

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Information Security Risk Management

Information Security Risk Management (DS-13)
Guidance: Information Security Risk Management

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Categorize IT assets according to their sensitivity and criticality

Critical Restricted High Moderate Low

Conduct risk assessments annually

Restricted

Conduct risk assessments every four years

Critical High

Conduct a risk assessment soon after a serious IT security incident

Critical Restricted High Moderate Low

Conduct any risk assessments required by regulation or law

Critical Restricted High Moderate Low

Use RECON or other approved tool(s) for any required risk assessments

Critical Restricted High

Provide IA with results of unit-conducted risk assessments

Critical Restricted High Moderate Low

Maintain risk assessment data as confidential, classified as High

Critical Restricted High Moderate Low

Develop post-assessment plans to reduce risks to acceptable levels

Critical Restricted High Moderate Low

Implement the appropriate risk-reducing controls

Critical Restricted High Moderate Low

Authorize acceptance of unmitigated risks

Critical Restricted High Moderate Low

Assist IA with tracking Risk Treatment Plan progress

Critical Restricted High Moderate Low

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Network Security

Network Security (DS-14)

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Network Security

Network Security (DS-14)

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Implement default-deny, least-privilege policies on network firewalls

Critical Restricted High Moderate

Isolate trusted networks containing sensitive data from non-trusted networks

Restricted High Moderate

Securely configure network infrastructure devices

Critical Restricted High Moderate Low

Maintain accurate network documentation

Critical Restricted High Moderate Low

Document network interconnects to non-UM parties

Critical Restricted High Moderate Low

Protect devices not requiring exposure to the internet

Critical Restricted High Moderate Low

Restrict vendor remote network access to the smallest segment feasible

Restricted High

Obtain authorization before extending any U-M networks

Critical Restricted High Moderate Low

Encrypt wireless network traffic

Restricted High Moderate

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Physical Security

Physical Security (DS-17)

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Physical Security

Physical Security (DS-17)

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Document and implement physical security procedures, train faculty and staff

Restricted High

Formalize procedures for granting access to U-M/unit data centers

Restricted High

Limit physical access to systems containing PHI

High

Restrict physical access to only those authorized

Restricted High

Maintain accurate lists of those authorized to access secure locations

Restricted High

Review authorization lists regularly

Restricted High

Implement appropriate access control mechanisms and logging

Restricted High

Place sensitive/critical equipment in access-controlled areas

Critical Restricted High Moderate

Prohibit sharing of access credentials

Restricted High

Require that personnel identification be displayed within secured locations

Restricted High

Implement 24/7 video surveillance

Restricted High

Escort authorized vendors/visitors within secured locations

Restricted High

Log all vendor/visitor access to secured locations

Restricted High

Prohibit food and drink in secured locations

Restricted High

Document maintenance activities and maintain records for three years

Restricted High

Lock doors after business hours and when unattended

Restricted High

Install output devices where they cannot be accessed by unauthorized parties

Restricted High Moderate

Store unencrypted media containing sensitive data in secure locations

Restricted High Moderate

Develop and maintain disaster recovery and contingency plans

Restricted High

Place power equipment and cabling in safe locations

Restricted High

Install emergency power shutoff mechanisms in appropriate locations

Restricted High

Implement uninterruptible power supply (UPS)

Restricted High

Install and maintain fire detection and suppression

Restricted High

Install, maintain, and monitor temperature and humidity controls

Restricted High

Protect processing equipment from potential water leakage

Restricted High

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Secure Coding and Application Security

Secure Coding and Application Security (DS-18)

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Secure Coding and Application Security

Secure Coding and Application Security (DS-18)

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Use Production, Staging, Test, and Development environments

Restricted High Moderate

Exclude sensitive data from Test and Dev, or obtain IA permission

Restricted High

Define security requirements early in the SDLC and evaluate compliance

Restricted High Moderate

Use the latest available external or third-party components

Restricted High Moderate

Avoid dynamic inclusion of software

Restricted High Moderate

Validate application input

Restricted High Moderate

Execute proper error handling

Restricted High Moderate

Authenticate users through central AuthN/AuthZ systems

Restricted High

Implement two-factor authentication

Restricted High

Control access based on roles and the principle of least privilege

Review individually-granted access annually

Restricted High

Provide for automated review of authorizations where possible

Restricted High

Encrypt external transmission of data

Restricted High

Implement application logs with important event data

Restricted High Moderate

Conduct code security reviews/audits for new or changed applications

Restricted High

Use effective quality assurance techniques prior to go-live

Restricted High

Remove obsolete or no longer supported or needed software

Restricted High Moderate

Implement and maintain a change management process

Restricted High

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Security Log Collection, Analysis, and Retention

Security Log Collection, Analysis, and Retention (DS-19)
Guidance: Security Log Management

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Security Log Collection, Analysis, and Retention

Security Log Collection, Analysis, and Retention (DS-19)
Guidance: Security Log Management

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Enable logging for endpoints (workstations, desktops)

Restricted

Enable logging for all other systems (non-endpoint)

Restricted High Moderate

Include essential events and elements in logs

Restricted High Moderate

Consult Sensitive Data Guide to ensure appropriate storage of log data

Restricted High Moderate

Restrict log access to authorized individuals

Restricted High Moderate Low

Protect log data from unauthorized changes and operational problems

Restricted High Moderate

Automate alerting on logging failures

Restricted High

Send local logs to IA SEIM, meeting minimum delay requirements

Restricted High

Retain log data for duration required by policy and law

Restricted High Moderate

Keep security logs immediately available for 90 days

Restricted High Moderate

Purge unneeded logs securely

Restricted High Moderate

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Third Party Vendor Security and Compliance

Third Party Vendor Security and Compliance (DS-20)
Guidance: Third Party Vendor Security & Compliance

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Third Party Vendor Security and Compliance

Third Party Vendor Security and Compliance (DS-20)
Guidance: Third Party Vendor Security & Compliance

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Adhere to U-M's Vendor Security and Compliance Assessment process

Critical Restricted High Moderate Low

Continuously manage vendor security compliance

Critical Restricted High Moderate Low

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Vulnerability Management

Vulnerability Management (DS-21)
Guidance: Vulnerability Management

Icon Key:

  • checkmark circle icon Required
  • checkmark icon Recommended

Vulnerability Management

Vulnerability Management (DS-21)
Guidance: Vulnerability Management

Security Control
Mission Critical?
Restricted
High
Moderate
Low

Conduct vulnerability scans at least monthly

Restricted High

Prioritize remediation/mitigation based on severity

Critical Restricted High Moderate Low

Develop corrective action plans for identified vulnerabilities

Critical Restricted High Moderate Low