To help support the U-M IT security program, every unit, school, or college has a staff member designated as a Security Unit Liaison (SUL), serving as that unit's primary IT security contact. To find the SUL for your unit, see the Security Unit Liaison Directory.
The Information Security Policy (SPG 601.27) establishes the expectation that units share in the responsibility to protect the information assets controlled by the university.
Security Unit Liaisons and those they designate attend periodic meetings hosted by Information Assurance (IA). (See IT Security Community Meetings.)
Respective unit deans or directors appoint a Security Unit Liaison to serve as the focal point for coordinating information security activities within the unit, and as the main interface between the unit and IA.
In general, SULs are expected to commit to a two-year term with an average time commitment of four to six hours per month, depending on the size and complexity of their unit. They are also expected to attend several scheduled IT Security Community meetings annually.
Security Unit Liaisons are responsible to:
- Regularly communicate with unit leadership on security related issues, including appraising them of relevant security risks and possible risk mitigation.
- Leverage ITS-provided IA services to meet unit requirements and support unit missions;
- Ensure unit has established and regularly reviews, if needed, appropriate unit-level security procedures that are consistent with U-M policies and guidelines.
- Coordinate information security education and awareness for the unit.
- Disseminate relevant email messages, security awareness and communication materials from IIA and other sources to appropriate unit audiences.
- Promote awareness and education of security policies and guidelines; serve as primary contact for monitoring and auditing of information security policy implementation.
- Provide ongoing feedback to IA of special security needs, priorities, and concerns, including possible improvements for processes, services, and technologies.
- Act as the focal point for information security incident management in the unit; informing IA and unit leadership of serious incidents and coordinating incident response with IA.
- Assist IA in the maintenance of an inventory of sensitive and critical information assets within the unit as well as any unit-unique regulatory requirements.
- Attend scheduled Security Community meetings.
SULs are either responsible for or support some ongoing and recurring specific activities, including the responsibility to:
- In MiWorkspace units, collaborate with IA's Unit Security Service to resolve issues identified in a variety of IIA-generated reports, such as the data loss prevention report.
- Work with unit leadership to answer annual Internal Controls IT security certification question.
- Identify education and awareness topics that would benefit the unit.
- Clarify risk assessment scopes, facilitate post-assessment decisions and ensure RECON treatment plan progress for unit-unique services or applications.
- Ensure unit-unique services or applications have appropriate IT security controls implemented according to the Server and Database Hardening Guides.
- Serve as gatekeeper for inclusion of unit staff in the Security Community.