The University of MichiganNews Services
The University Record Online
Updated 9:00 AM June 21, 2006




view events

submit events

UM employment

police beat
regents round-up
research reporter


Advertise with Record

contact us
meet the staff
contact us
contact us

U-M launches safe computing program

The university has a new campus-wide IT security program.

In an effort endorsed by University leadership, Information Technology Security Services (ITSS), worked with representatives from schools, colleges and central offices to develop the plan. The
U-M IT Security Program provides initiatives that, when implemented centrally and at the unit level, will help ensure the security and privacy of information and technological resources.

The program defines how security responsibilities will be shared between ITSS and each school, college and unit, and describes the unit's role in protecting the information it collects and stores, as well as the institution's information it accesses for business purposes. One aspect of the program requires each unit to develop an IT security plan that meets its unique needs.

"ITSS identifies University-wide security measures, sets the direction and coordinates the implementation of these initiatives with the goal of standardizing procedures and mitigating risk," says Paul Howell, chief information technology security officer. The central office also manages technical solutions that can be provided centrally, such as training professional IT security officers.

To facilitate the development of unit plans, nearly 40 liaisons, chosen by vice presidents, deans and directors, will participate in a series of summer workshops. ITSS will provide information, templates, tools and guidance to assist in the development of individual plans. The liaisons will work with others in their areas to further help faculty, staff and students protect the confidentiality, integrity and availability of University information resources.

The IT Security Program includes components that will be incorporated into unit plans. Incident Management provides consistent policies and procedures for tracking, analyzing and responding to IT security incidents, and for coordinating a mass incident response. Units are responsible for recognizing and responding to the situation at the local level, and for reporting serious incidents to ITSS. The ITSS incident coordinator ensures that University stakeholders are involved in the response as appropriate for the incident type and information that might have been compromised.

In an effort to reduce the number of IT incidents, an industry-standard risk management methodology has been adopted. ITSS experts are training unit IT staff to implement RECON or Risk Evaluation of Computers and Open Networks. Units will be performing internal assessments, and ITSS will consolidate risk assessment results to form a University-level profile.

ITSS is spearheading the review of existing policies and the creation of new university-wide procedures. Regulatory compliance to government mandates are considered in crafting policies and guidelines. Units continue to be responsible for adopting these high-level guidelines, and for developing, implementing and maintaining additional standards relative to their own needs and circumstances.

Creating awareness of the IT security program is key to its effectiveness. ITSS organizes training programs, security awareness events, publications and Web resources, such as To date more than 50 security administrators have been trained, and more certification classes are scheduled for next year.

ITSS also provides several technical security services. Quarterly, ITSS scans campus and unit networks for vulnerability to attacks (worms, bots, viruses, etc.). Units also can use the technology to perform scans more often.

"Our goal at ITSS is to make IT security a top priority at all levels of the University," Howell says. "We want units to take into account risks and safety measures as they develop their goals and objectives and make core business decisions. They need appropriate staffing and funding to protect institutional information because ultimately, they are responsible for these resources."

For more information about the Information Technology Security Program visit

More Stories