Internal Control Annual Information Assurance Certification Question Archive

The Office of Internal Controls conducts an annual certification process that leverages Sarbanes-Oxley Act best practices. One of the annual certification areas is information assurance; units are asked to certify that they are compliant, partially compliant, or non-compliant with a particular security practice or process that changes every Fiscal Year (FY).

FY24 Information Assurance Internal Control Certification Question

My unit understands Section VIII.A. (Security and Privacy) of the newly updated Procurement General Policies (SPG 507.01) and has aligned its procurement processes with the requirements in Third Party Vendor Security and Compliance (DS-20).

All units should be able to reply yes or partial to the FY24 question.

FY23 Information Assurance Internal Control Certification Question

My unit is regularly reviewing and remediating critical vulnerabilities within the timeframes specified in the Vulnerability Management (DS-21) standard.

Responses:

FY22 Information Assurance Internal Control Certification Question

My unit has discontinued use of Cosign, an outdated single sign-on web authentication system, for unit-owned applications, or has defined plans to do so by June 2023.

Responses:

  • Yes. My unit has discontinued use of Cosign for all of our unit applications.
  • Partial. My unit has discontinued use of Cosign for some of our unit applications and has plans to discontinue use for the remaining applications by June 2023.
  • No. My unit has not discontinued use of Cosign for any unit applications and has no plans to do so by June 2023.

FY21 Information Assurance Internal Control Certification Question

My unit has deployed CrowdStrike Falcon, which provides enhanced endpoint protection, including antivirus and anti-malware, on U-M owned computers and servers identified through the ITS Information Assurance survey process, and:

  • Has plans and processes in place to deploy Falcon on machines that are currently inaccessible due to the pandemic;
  • Has plans and processes in place to support deployment in an ongoing manner.

Responses:

  • Yes. My unit has deployed CrowdStrike Falcon, which provides enhanced endpoint protection, including antivirus and anti-malware, on U-M owned computers and servers identified through the ITS Information Assurance survey process; has plans in place to deploy Falcon on machines that are currently inaccessible due to the pandemic, and has plans and processes in place to support deployment in an ongoing manner.
  • Partial. My unit has deployed CrowdStrike Falcon, which provides enhanced endpoint protection, including antivirus and anti-malware, on some U-M owned computers and servers identified through the ITS Information Assurance survey process; has plans in place to deploy Falcon on machines that are currently inaccessible due to the pandemic; and has plans and processes in place to support deployment in an ongoing manner.
  • No. My unit has not deployed CrowdStrike Falcon, which provides enhanced endpoint protection, including antivirus and anti-malware, on U-M owned computers and servers identified through the ITS Information Assurance survey process; has no plans in place to deploy Falcon on machines that are currently inaccessible due to the pandemic; and has no plans and processes in place to support deployment in an ongoing manner.

FY20 Information Assurance Internal Control Certification Question

Does your unit engage in creating awareness and providing education related to securely conducting university work remotely?

  • Yes. My unit engages in frequent awareness and education activities related to secure remote work.
  • Partial. My unit engages in occasional awareness and education activities related to secure remote work.
  • No. My unit does not engage in awareness and education activities related to secure remote work.

FY19 Information Assurance Internal Control Certification Question

My unit has implemented appropriate practices for complying with Vulnerability Management (DS-21), and consistently meets the standard’s timeframes for remediating critical vulnerabilities.

  • Yes. My unit has fully implemented appropriate practices for complying with Vulnerability Management (DS-21) and consistently meets the standard’s timeframes for remediating critical vulnerabilities.
  • Partial. My unit has partially implemented appropriate practices for complying with Vulnerability Management (DS-21) and/or sometimes meets the standard's timeframes for remediating critical vulnerabilities.
  • No. My unit has not developed appropriate practices for complying with Vulnerability Management (DS-21) or does not consistently meet the standard’s timeframes for remediating critical vulnerabilities.

FY18 Information Assurance Internal Control Certification Question

My unit has developed a unit-specific protocol for university-owned devices that complies with Electronic Data Disposal and Media Sanitization (DS-11) and communicated to our faculty and staff the protocol and Safe Computing best practices for sanitizing personal devices that have maintained university data.

FY17 IT Security Internal Control Certification Question

I have read Section IX (Information Technology Security and Privacy) of Procurement General Policies and Procedures (SPG 507.01) and have begun to assess how this affects my unit.

FY16 IT Security Internal Control Certification Question

Faculty and staff in my unit have been informed of their responsibilities to report suspected, attempted, successful, or imminent serious IT security incidents, per Information Security Incident Reporting Policy (SPG 601.25). (See also Report an IT Security Incident.)

  • Yes. Within the last year, faculty and staff in my unit have been informed about their incident reporting responsibilities and how to report suspected, attempted, successful, or imminent serious IT security incidents, per SPG 601.25.
  • Partial. Within the past two years, faculty and staff in my unit have been informed about their incident reporting responsibilities and how to report suspected, attempted, successful, or imminent serious IT security incidents, per SPG 601.25.
  • No. Faculty and staff in my unit have not been informed of their incident reporting responsibilities and how to report suspected, attempted, successful, or imminent serious IT security incidents, per SPG 601.25 for three or more years.

FY15 IT Security Internal Control Certification Question

My unit has implemented Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33).

  • Yes. My unit has implemented SPG 601.33 by deciding whether to allow staff to use their personally owned device when working with sensitive data and, if yes, whether to be more restrictive than the SPG. My unit has implemented any additional restrictions and communicated expectations to faculty and staff.
  • Partial. My unit has partially implemented SPG 601.33 by deciding whether to allow staff to use their personally owned device when working with sensitive data and, if yes, whether to be more restrictive than the SPG. My unit has not yet implemented these additional restrictions and communicated expectations to faculty and staff.
  • No. My unit has not implemented SPG 601.33. We have neither made nor implemented decisions on whether to allow staff to use their personally owned device when working with sensitive data, nor communicated expectations to faculty and staff.

FY14 IT Security Internal Control Certification Question

This fiscal year I met regularly with my security unit liaison to discuss the status of my unit’s IT security risk exposure.

  • Yes. I have met more than once with my security unit liaison.
  • Partial. I have met once with my security unit liaison.
  • No. I did not meet with my security unit liaison.

FY13 IT Security Internal Control Certification Question

I have reviewed my unit’s information security report (available through MReports) and have made plans to implement the necessary corrective measures to ensure my unit has a compliant status.

  • Yes. I have reviewed the report and my unit is already compliant or we have a plan to implement the necessary corrective measures to achieve a compliant status.
  • Partial. I have reviewed the report but do not have a plan to implement the necessary corrective measures to achieve a compliant status.
  • No. I have not reviewed my unit’s information security report.

FY12 IT Security Internal Control Certification Question

My unit is using RECON (or similar risk assessment process) to identify and implement necessary risk mitigation improvements to sensitive and mission critical information systems.

  • Yes. Unit is using RECON (or similar process) and has implemented all of the necessary risk mitigation improvements identified.
  • Partial. Unit is using RECON (or similar process) and has implemented some but not all of the risk mitigation improvements identified.
  • No. Unit is using RECON (or similar process) but has not implemented any of the risk mitigation improvements identified.

FY11 IT Security Internal Control Certification Question

Units are required (SPG 520.1) to remove all software and/or files from computers prior to being sent to Property Disposition My unit securely wipes/erases or makes unreadable all electronic storage media (such as disk drives or solid state storage) prior to recycling or resale of used or surplus equipment.

  • Yes. My unit has implemented procedures to ensure that all electronic storage media are properly erased or made unreadable prior to disposal, recycling or resale.
  • Partial. My unit has procedures to ensure that electronic storage media are properly erased or made unreadable prior to disposal, recycling or resale; however not every department or area within my unit consistently follows our procedures.
  • No. At this time, my unit does not have defined procedures to ensure that electronic storage media are properly erased or made unreadable prior to disposal, recycling or resale.

FY10 IT Security Internal Control Certification Question

My unit has identified the sensitive and critical information assets under its control. Risk assessments around the sensitive and critical information assets that my unit is responsible for will be completed between July 1, 2010, and June 30, 2014.

  • Yes. My unit has developed a risk assessment plan and has committed resources to begin executing the plan. Risk assessments around all known sensitive and critical information assets that my unit is responsible for will be completed between July 1, 2010, and June 30, 2014.
  • Partial. My unit has developed a risk assessment plan and will complete risk assessments around some, but not all, of the sensitive and critical information assets that my unit is responsible for between July 1, 2010, and June 30, 2014.
  • No. At this time, my unit does not have a plan to conduct risk assessments around the sensitive and critical information assets that my unit is responsible for.
  • N/A To the best of my knowledge, my unit does not control any sensitive or critical information assets.

FY09 IT Security Internal Control Certification Question

I have implemented the Information Security Reporting Policy, SPG 601.25 for my unit.

  • Yes. I have directed my staff to implement the policy above, as it applies to IT security. My unit’s Information Security Coordinator has been trained to promptly report all serious incidents per policy. Unit-level procedures, communications, and education programs relative to incident reporting have been implemented. Faculty and staff in my unit have been informed of their incident reporting responsibilities.
  • Partial. I have directed my staff to implement the policy above. Implementation of this policy is in progress.
  • No. The implementation of this policy has not yet begun.

FY08 IT Security Internal Control Certification Question

I have read the University's Information Security Policy, SPG 601.27, and and have begun to implement this policy within my unit. To the best of my ability, I am guiding my unit in adhering to this policy by: submitting an approved security plan; identifying and tracking sensitive information assets; periodically performing risk assessments (using RECON or ITSS approved alternative) of sensitive and critical information assets; reporting and managing information security incidents in accordance with SPG 601.25; and implementing appropriate safeguards to protect sensitive and critical information assets.

  • Yes. Unit does not have an approved plan and policy implementation has not yet begun.
  • Partial. Unit has an approved plan but has not yet begun policy implementation to identify sensitive and critical IT assets or perform risks assessments.
  • No. Unit has an approved plan and has begun or completed policy implementation to identify sensitive and critical IT assets and perform periodic risk assessments which are shared with ITSS.

FY07 IT Security Internal Control Certification Question

I have approved my unit’s IT Security Plan and have provided a copy of the plan to the Office of Information Technology Security Services (ITSS). The three-year plan includes: a timetable for implementing security processes; a schedule for performing risk assessments; definition of unit security roles and responsibilities; a simple description of the current security environment; and an identification of the most sensitive information assets managed by my unit. My unit is regularly collaborating with ITSS and participating in IT Security Community activities.

  • Yes. Unit Security Plan not yet provided to ITSS.
  • Partial. Unit has submitted a preliminary Security Plan to ITSS.
  • No. IT security plan completed, approved, and submitted; continual collaboration with ITSS.

FY06 IT Security Internal Control Certification Question

I am aware of the U-M IT security program. I have appointed an IT security unit liaison to work with the Information Technology Security Services (ITSS) office. The name of our IT security unit liaison has been given to ITSS.