Stewardship of IT Security Information

Users of the university’s information resources are generally aware of the need to protect personally identifiable information (PII) from unauthorized access or disclosure. There are, however, other types of information whose unauthorized disclosure may be harmful to the university. The university recognizes IT security information as institutional data classified as "High," and assigns data stewardship responsibilities to define guidelines that govern the management and protection of this information.

What is IT security information?

This is information that is relevant to protecting the university’s IT resources (e.g., data, computers, information systems, networks, accounts). In many cases, security information is data about data (or metadata). It is separate from the contents of the information that is stored on the relevant IT resource. For example, incident related security information includes information such as the incident type, severity, when it occurred, who discovered the incident, and who is affected. It does not include the contents of the information residing on the computer that might have been compromised by the incident.

How is IT security information generated?

This type of information is generated as a result of automated or manual processes that are intended to safeguard the university’s IT resources. Examples of processes which generate security information include but are not limited to:

  • authentication (e.g., log on/off)
  • network-based filtering (e.g., router Access Control List and firewall logging)
  • authorization (e.g., audit trails enabled to record access to files or records)
  • vulnerability scanning (e.g., the output generated by a vulnerability scanner against an asset)
  • security incident response (per Information Security Incident Reporting (SPG 601.25))
  • risk assessment (e.g., the detailed report from a risk assessment process detailing risks that are present in a given system)
  • security planning (e.g. the designs and documentation of security architectures and plans)

What types of data are considered IT security information?

IT security information consists of data that are generated as a result of a security process involving the safeguarding of IT resources. IT security data includes but is not limited to the following:

  • access and authorization audit logs generated by operating systems, applications, and other protection-oriented processes
  • login / logoff transactions (successful and unsuccessful)
  • intrusion detection signatures, logs, and alerts
  • firewall policies, logs, and alerts
  • risk assessment results
  • incident reports and details stemming from breaches and suspicious events
  • vulnerability scanning results
  • security configurations of computers, networks, and other IT elements

Why is it important to recognize IT Security Information as Institutional Data?

Institutional data resources are owned by the university and are formally managed and protected in accordance with university policies as defined in Institutional Data Resource Management Policy (SPG 601.12). The university designates Data Stewards, Delegated Data Stewards, and Data Managers to each category (area) of institutional data, who are responsible for defining rules and guidelines for managing, sharing, and protecting a specific category.

Who are the Data Stewards, Delegated Data Stewards, and Data Managers responsible for IT Security Information?

The Data Steward is Kelli Trosvig, Vice President for Information Technology and Chief Information Officer. 

The Delegated Data Steward/Data Manager is Sol Bermann, Interim University Chief Information Security Officer (CISO). The University CISO should be contacted to address any issues or questions relating to sharing or securing IT Security Information.

Why is IT security information considered sensitive?

IT security information reflects the security posture of a given environment, unit, or the university in general. Information such as the results of vulnerability scans or risk assessments may indicate areas of vulnerabilities that may be exploited, if disclosed to hackers or to other unauthorized individuals. It should be noted that not all IT security information has the same level of sensitivity—security information that is de-identified and aggregated to provide statistical trends may be less sensitive than security information describing the vulnerabilities of individual systems or environments.

With whom can IT security information be shared?

Like other sensitive information, IT security information should only be shared with university staff who have a “need to know” to execute their normal business functions. IT security information should not be shared outside U-M or to individuals who do not have a business reason to access this information. Examples of cases where IT security information should be shared are sharing of incident information and the results of risk assessments with Information Assurance (IA), so that the information can be centrally aggregated and analyzed.

How long should IT security information be retained?

As a general rule, information should not be retained beyond its usefulness or as required by applicable regulations. IT security information should be securely destroyed when no longer needed. When making determination to destroy this type of information, units should consider the utility of the information outside their immediate areas, for example, the usefulness of the information to IA in generating high-level risk profiles and trends. Specific retention policies will be developed over time by the Data Steward.

By capturing more IT security information, are we increasing the risk of having to disclose it in response to FOIA requests?

In general, security information is protected under Freedom of Information Act (FOIA) exemptions. If security information is requested under FOIA, the university will address such requests on a case-by-case basis, and will attempt to protect the confidentiality of the information to the extent possible.