Information Security Reports
The focus of the IT Security Program, which applies to all University campuses, is to protect the information and the information technology resources of the University. Information and Infrastructure Assurance (IIA), a unit of ITS, leads and coordinates the overall program, and provides security services to MiWorkspace units. Schools and colleges and non-MiWorkspace administrative units are responsible for implementing unit-level security measures to mitigate risks and to comply with information security policies and regulations.
The information security reports provide units with:
- An annual snapshot of a unit's progress in implementing required security measures and processes
The U-M information security policy, SPG 601.27, requires each unit to develop, maintain, and implement an information security plan, conduct risk assessments, and track critical and sensitive information assets. IIA is responsible for monitoring unit compliance with the policy. This M-Report provides unit management with high-level IT security key performance indicators that can help identify areas where improvement is still needed.
The Unit-Level Security report provides each unit with an annual snapshot of its progress in implementing the IT security program and becoming compliant with the University's Information Security policy. With it, you can:
- View metrics reflecting your compliance with the information security policy compared to other units (updated annually)
- View additional information reflecting various characteristics of your unit relative to other units (updated annually)
The overall Key Performance Indicator score (0-6) of a given unit reflects the following:
- Progress Report – Has your unit completed the annual security progress report? (yes=2; partially=1; no=0)
- Certification Response – What was your unit’s response to the internal controls certification question about IT security last year? (yes=2; partially=1; no=0)
Note: For more information about the current year IT security certification question, please see https://www.safecomputing.umich.edu/itprof/security_cert_question.php (authorization required).
- Risk Assessment Progress – Is your unit on track to complete its planned security risk assessments within a four-year cycle? (yes=2; partially=1; no=0).
Note: Units are expected to complete all security risk assessments around their sensitive and critical information assets within a four-year cycle. The current cycle is July 1, 2010 to June 30, 2014.
The data used in the Information Security reports comes from the following sources:
- Progress Report Status – Unit characteristics data provided annually by units to IIA
- Certification Response – Internal Controls Certification Process conducted annually in September
- Risk Assessment Progress – Completed risk assessments provided to IIA by the end of the fiscal year
Access DetailsWho needs access?
The unit-level report is available to deans, directors, budget administrators, security unit liaisons and the IIA Council. Individuals can only view their own unit reports.How do I request access?
There is no auto-granted access to these reports. Users with a business need can request access through their security unit liaison. See a list of liaisons at https://www.safecomputing.umich.edu/download/Security UL List.pdf. The security unit liaison should contact IIA at firstname.lastname@example.org to request that access be established.What can users see?
When you choose Department Reports, the report shows the unit that you have been authorized to view.
|Progress Report Status||Unit characteristics data provided annually by units to IIA|
|Certification Response||Internal Controls Certification Process conducted annually in September|
|Risk Assessment Progress||Completed risk assessments provided to IIA by the end of the fiscal year|
Additional information about the IT Security Program is available at:
Additional information about protecting University data is available at