To help support the U-M IT security program, every unit, school, or college has a staff member designated as a Security Unit Liaison (SUL), serving as that unit's primary IT security contact. To find the SUL for your unit, see the Security Unit Liaison Directory.
The Information Security Policy (SPG 601.27) establishes the expectation that units share in the responsibility to protect the information assets controlled by the university.
Security Unit Liaisons and those they designate attend periodic meetings hosted by IIA. (See IT Security Community Meetings.)
Respective unit deans or directors appoint a Security Unit Liaison to serve as the focal point for coordinating information security activities within the unit, and as the main interface between the unit and IIA.
In general, SULs are expected to commit to a two-year term with an average time commitment of four to six hours per month, depending on the size and complexity of their unit. They are also expected to attend several scheduled Security Community meetings annually.
Security Unit Liaisons are responsible to:
- Regularly communicate with unit leadership on security related issues, including appraising them of relevant security risks and possible risk mitigation.
- Leverage ITS-provided information and infrastructure assurance services to meet unit requirements and support unit missions;
- Ensure unit has established and regularly reviews, if needed, appropriate unit-level security procedures that are consistent with U-M policies and guidelines.
- Coordinate information security education and awareness for the unit.
- Disseminate relevant email messages, security awareness and communication materials from IIA and other sources to appropriate unit audiences.
- Promote awareness and education of security policies and guidelines; serve as primary contact for monitoring and auditing of information security policy implementation.
- Provide ongoing feedback to IIA of special security needs, priorities, and concerns, including possible improvements for processes, services, and technologies.
- Act as the focal point for information security incident management in the unit; informing IIA and unit leadership of serious incidents and coordinating incident response with IIA.
- Assist IIA in the maintenance of an inventory of sensitive and critical information assets within the unit as well as any unit-unique regulatory requirements.
- Attend scheduled Security Community meetings.
SULs are either responsible for or support some ongoing and recurring specific activities, including the responsibility to:
- In MiWorkspace units, collaborate with IIA's Unit Security Service to resolve issues identified in a variety of IIA-generated reports, such as the data loss prevention report.
- Assist with annual Unit Characteristics Reports.
- Work with unit leadership to answer annual Internal Controls IT security certification question.
- Identify education and awareness topics that would benefit the unit.
- Clarify risk assessment scopes, facilitate post-assessment decisions and ensure RECON treatment plan progress for unit-unique services or applications.
- Ensure unit-unique services or applications have appropriate IT security controls implemented according to the Server and Database Hardening Guides.
- Serve as gatekeeper for inclusion of unit staff in the Security Community.