FY2025 Accomplishments
Continuing to Enhance Privacy at U-M
The ITS Office of Privacy and the Office of the Vice President for Communications (OVPC) released a new consent and preference management integration for U-M websites that accommodates the university’s complex, decentralized web environment and allows for easy integration and the ability to support non-umich.edu domains. The solution meets compliance requirements and demonstrates the university’s commitment to protecting the privacy of its community members and visitors.
In FY25, the Office of Privacy remained focused on broad outreach and education. Many U-M community members and guests attended this year’s Data Privacy Day keynote event on January 28, 2025, which featured a presentation by Prof. Sauvik Das on ‘Privacy in the Age of AI,’ and an in-depth conversation with UMSI Prof. Florian Schaub.
Following the success of ViziBLUE, the Office of Privacy debuted another innovative privacy tool this year. Privacy Portraits is a question-based, fun way to find out what sort of privacy persona you are and to learn about best practices selected just for you.
Supporting a Credible, Implementable, Enforceable, and Sustainable IT Policy Environment
In December 2024, the ITS Office of Privacy released a new IT standard and comprehensive guidance related to protecting university-owned systems, Endpoint Security Administration (DS-23). The standard formalizes guidance around implementation of enterprise-enhanced endpoint protection, adherence to the principle of least functionality, and maintenance of the inventory of university-owned systems, and helps units meet requirements around protecting our institution’s valuable digital assets.
In February 2025, the Office of Privacy published an important revision of the IT Standard on Network Security (DS-14) that introduces measures that further protect the university’s valuable digital assets and data, while continuing to support open access to resources across a diverse academic environment.
The team also developed a new self-service tool to help faculty and staff classify the data they are working with against the U-M data classification levels. This tool provides non-dispositive guidance to help plan for working with and protecting sensitive data.
Enabling Broad Training and Effective Engagement
In September 2024, the ITS Office of Privacy delivered an update to the required training for ITS staff. The new Data Protection for ITS course consolidates multiple courses on data protection, resulting in a comprehensive 30-minute data protection course that is streamlined, engaging, and accessible. A version of the course was made available to Unit IT and several organizations, such as Student Life IT, have successfully adopted it as a requirement for their staff.
In April 2025, the team released a new DCE101: Cybersecurity and Data Protection at U-M training course. The course provides practical data protection guidance and cybersecurity awareness for faculty and staff across all U-M academic campuses in a modern, engaging, and accessible format.
The Office of Privacy is also working to deliver role-based experiences and resources. Launched in March 2025, the Safe Computing for Students page provides a one-stop shop for students needing quick access to information about scams affecting U-M students, tips for staying safe online and protecting their privacy, and guidance on how to report phishing. The page is featured in new-student orientation materials.
Praise for the New Trainings
“Wow! It’s so good! . . . the best example of this type of training I’ve ever seen.”
– Anonymous U-M Staff member
“[An] excellent blend of detail and general information, which supports its objective,” and “was actually kind of fun!”
– Nigel Melville, associate professor of technology and operations at the Ross School of Business
“Excellent….All of the specific examples around phishing were super helpful.”
– Mike Daniel, chief operating officer at the Center for Academic Innovation
Standardizing Campus Security and Vulnerability Management with CrowdStrike and Tenable
As part of an initiative to reduce security risks to university systems, ITS Information Assurance (IA) replaced the Center for Internet Security (CIS) hardening tool with features offered by the already deployed capabilities built into the CrowdStrike Configuration Management Tool and Tenable. Removing manual CIS steps allows greater machine coverage and faster ongoing secure configuration checks against known baselines. This makes it easier for campus units to identify misconfigurations in their systems.
IA scans campus networks for vulnerabilities monthly, and units can choose to perform scans more often. A few times a year, IA audits for extremely critical vulnerabilities that have not been patched and are currently being exploited. Units with these vulnerabilities are given one month to patch their machines, or IA will quarantine their machine using CrowdStrike.
IA has also made a Web App Scanning feature from Tenable available to units as a self-service tool. Web App scanning allows a web application to be scanned to identify coding issues that may result in security concerns. By making this self-serve, units can scan their homegrown web apps at any time, for example, before they deploy new code changes to production.
Additionally, IA partnered with the central ITS Cloud team to deploy Tenable Cloud Security as its primary tool for monitoring cloud systems like AWS, Azure, and GCP, helping to spot and fix problems quickly. Tenable complements CrowdStrike Falcon, and with the addition of the Falcon Complete service, gives U-M and our partners at CrowdStrike the ability to detect and quickly respond to threats to our IT systems and data. Together, the two systems give U-M exceptional proactive, prevention, and response capabilities, and provide unit IT staff with access to information they can use to protect their unit and U-M.
Strengthening Cybersecurity Preparedness with Collaboration and Integration
In FY25, ITS Information Assurance (IA) created a tool to use Michigan Intelligence for Threat Negation (MITN) security data with Cloudflare, a market leader in the website Distributed Denial of Service (DDoS) protection space. This helps the MITN repository better manage web security and reduce false alarms.
To further enhance the university’s cybersecurity infrastructure, the IA team established two working groups: disaster recovery and vulnerability management.
-
The Disaster Recovery Working Group focuses on operationalizing disaster preparedness within ITS. They coordinate with various departments and stakeholders to ensure an integrated and consistent approach to disaster recovery across ITS, including performing annual tabletop and failover exercises.
-
The Vulnerability Management Working Group brings together representatives from major units across all three U-M campuses. This new touchpoint gives each group a direct voice, lets IA surface and resolve Tenable issues in real time, and keeps service direction tightly aligned with evolving campus requirements.
Additional IA Highlights for FY25
-
Risk Management. IA is committed to safeguarding information security and achieving regulatory compliance. They have been focused on managing and mitigating various security risks within ITS, which involves conducting risk assessments to identify potential vulnerabilities or compliance issues. IA launched 30 risk assessments in FY25, using tools like Tenable and CrowdStrike to evaluate potential threats to our security. Of those 30 assessments, 21 have been completed, 8 are still ongoing, and 1 is under IA’s quality assurance review.
-
Regulatory Standards: During a risk assessment, IA looks at compliance with important standards and regulations, like FISMA (Federal Information Security Management Act), HIPAA (Health Insurance Portability and Accountability Act), CMMC (Cybersecurity Maturity Model Certification), and Export Control rules. Working with our compliance partners to ensure compliance with these regulations is crucial for protecting sensitive data and avoiding legal issues.